[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: centralized user management

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: centralized user management
From: "Matt Van Mater" <nutter__(_at_)_hotmail_(_dot_)_com>
Date: Mon, 14 Apr 2003 13:36:46 -0400

NIS would be the simplest choice in your situation. Put all your accounts on one machine, and have it serve out passwd, shadow, and >group maps to the others. Not at all secure if you don't trust your >users, but for a home network it should be fine. LDAP would the more professional way to handle it, and be more interoperable with Windows machines, but as you've seen is non-trivial to setup. If you want more security than NIS, or just want to play around with it, Kerberos is relatively easy to setup. For Kerb login authentication, just use NIS to get passwd and group maps (not shadow maps), and replace /bin/login with /usr/sbin/login.krb5. Check out the "How to Kerberize your site" link from the Kerb home page for a good HOWTO.

The problem with the 'kerberize your site' howtos is that they address using kerberos for certain services, but never mentions how to turn it on for a ssh connection or even local logins. I've just recently looked through the sshd_config man page and think I know how to enable kerb for ssh logins, but still don't really know how to turn it on for local login auth. The howto says to turn on several daemons in inetd.conf without explaining or even briefly mentioning why I should turn each one on (which seems very un-openbsdish to me). I'm not a super paranoid type but i don't like turning services on if i don't know what the hell they do. I think I would want to uncomment kauthd for local kerb authentication and will have to read up on if that does what i think it does.

I will however look into NIS because several people have suggested it. I was trying to stay away from NIS or YP because of security reasons, but I might as well look in to them just to be more aware of exactly what they do. I'd rather spend more time doing it The Right Way rather than just some old method that noone trusts anymore.

Matt

Matt

_________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus

Prev by Date: Re: centralized user management
Next by Date: Mounting a FAT32 Partition
Previous by thread: Re: centralized user management
Next by thread: Cheap and good mp3 player,U disk, digital camera and cd/vcd/mp3(3 in 1)!
Index(es):
- Date
- Thread

Visit your host, monkey.org