LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-21-2003, 02:12 AM   #1
vvandam
Member
 
Registered: Jul 2003
Location: South Africa
Distribution: RedHat 9
Posts: 34

Rep: Reputation: 15
Single Sign-On help


Hi to all.


I would like to setup Linux to use a Single Sign-On authentication process for all areas where authentication is used. I do not want to maintain 2+ user and password databases for my authentication.

I need to know what is recommended for a Sigle Sigh-On for say... Apache, Squid, SAMBA, and Linux itself?

Thanx guys and gals

 
Old 07-21-2003, 02:41 AM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
" I would like to setup Linux to use a Single Sign-On authentication process for all areas where authentication is used. I do not want to maintain 2+ user and password databases for my authentication."

Single sign on means that you maintain a password database that grants access to applications/processesses that the single sign on is priveledged to access.

If you don't want to maintain the database, then you can't do single sign on for very long. If you were to maintain the database/server then you would be using LDAP as an authentication point. If you are in a windows environment, you would setup samba/ldap authentication to the PDC(your linux box).

Samba/CIFS is the lan protocol used for filesharing with windows machines. LDAP is what controls access priveledges similar to active directory for windows. Apache is what serves web pages. Squid is what cache's web pages to conserve bandwidth and filter content. The only relation between them would be Webmin administration. Other than that, they have nothing to do with the other.
 
Old 07-21-2003, 02:52 AM   #3
vvandam
Member
 
Registered: Jul 2003
Location: South Africa
Distribution: RedHat 9
Posts: 34

Original Poster
Rep: Reputation: 15
Ok. Would I still need to create two users when I create a user for Samba.

This is what I want to prevent. I want to create one user and password that will be able to access my Linux server, connect to my Samba shares, use my Squid authentication onto the internet and authenticate to Apache for access to certain web content in a local intranet web site.

I need to create one user account per user in the company.
 
Old 07-21-2003, 03:16 AM   #4
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
You can use PAM, which is the standard linux MD5 shadow password file. Just adduser MonkeyHo.

Samba can use PAM to authenticate users. You can set the same username and password for squid authentication if you wish.

Squid can also use PAM, but you would need to configure the proxy port number for each station. Unless you don't bother with authentication and do transparent squid proxy caching(it doesn't hurt anything to cache). Squid routing is controlled by routing ipness, not by a login name. You have to specify which class C or IP gets to have the internet by IP only.

And if you want to authenticate to a web page, you can surely do that, again with PAM. I don't know why you would want to do that, but that's your business.

And so, you can have your user login to a web page/samba/PAM with the same password as they all use PAM. The routing of internet web pages is not though- controlled by login, but by location(IP). The iptables/shorewall configuration on your proxy server/firewall cannot be dynamically configured depending on who logs into a client box that has nothing to do with it. That's not what proxy servers do.

You can set up rules for authentication to proxy, but that again is done by location since you have to type the l/p into every browser you want to give access too. And so it's a moot issue since you can just block their IP or Class.
 
Old 07-21-2003, 03:40 AM   #5
vvandam
Member
 
Registered: Jul 2003
Location: South Africa
Distribution: RedHat 9
Posts: 34

Original Poster
Rep: Reputation: 15
You said 'Just adduser MonkeyHo'

Is that an example?
 
Old 07-21-2003, 03:58 AM   #6
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
Yes, as root pick a name.. user, for instance

adduser user

This can also be done via linuxconf or webmin or whathaveyou.
 
Old 07-21-2003, 06:23 AM   #7
davee
Member
 
Registered: Oct 2002
Location: Ayrshire, Scotland
Distribution: Suse(home) RHEL (Work)
Posts: 263

Rep: Reputation: 30
For samba, connecting to a remote (NT) server, does this mean that the entry in the fstab doesn't need a password defined if the user is a legitamate logged on linux username?

eg:

//server/share /mnt/share smbfs auto,username=user 0 0

rather than:

//server/share /mnt/share smbfs auto,username=user,password=password 0 0

Dave
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Small Network and Single Sign On with different clients k.king Linux - Networking 5 10-26-2005 03:43 PM
sign on invisible in gaim - NOT invi after sign on saravkrish Linux - Software 7 09-12-2005 11:55 PM
Setting single Sign on using openLDAP kghoshal Linux - Security 1 12-07-2004 01:50 PM
need info on pam for single sign on bahadur Linux - Security 1 07-16-2004 10:01 AM
AFS Config. Using single sign on fenriswolf Linux - Security 0 07-20-2001 11:09 AM


All times are GMT -5. The time now is 07:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration