LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   SSO for SSH and apache and/or tomcat (http://www.linuxquestions.org/questions/linux-security-4/sso-for-ssh-and-apache-and-or-tomcat-709655/)

nickowen 03-06-2009 11:18 AM

SSO for SSH and apache and/or tomcat
 
Greetings:

I'm looking for an SSO solution that would allow a user to login to a webpage/webapp and ssh. This might not be possible, but I thought I would throw it out there and get some ideas. It seems like most SSO systems use a browser cookie which would be problematic with ssh.

Nick

billymayday 03-06-2009 01:54 PM

I don't know about Tomcat, but ssh and apache can both use ldap for authentication.

rweaver 03-06-2009 02:10 PM

Quote:

Originally Posted by nickowen (Post 3467059)
Greetings:

I'm looking for an SSO solution that would allow a user to login to a webpage/webapp and ssh. This might not be possible, but I thought I would throw it out there and get some ideas. It seems like most SSO systems use a browser cookie which would be problematic with ssh.

Nick

There are a lot of ways to implement single sign on, however, I think the previous posters recommendation of ldap is a solid one and it also enables you to have logins for smtp/pop/imap also use the same authentication.

Typically ldap takes a bit more time to setup initially but once its running and you have your applications authenticating off of it you gain that time back in ease of maintenance.

Most services now can authenticate off of ldap directly or by and by off of pam/nss which can authenticate off of ldap.

Another advantage if you've got some in house programmers is that you can even modify most cms packages to authenticate off ldap relatively easily... and some cms/portals already have authentication through ldap built in.

nickowen 03-06-2009 02:30 PM

Quote:

Originally Posted by rweaver (Post 3467211)
There are a lot of ways to implement single sign on, however, I think the previous posters recommendation of ldap is a solid one and it also enables you to have logins for smtp/pop/imap also use the same authentication.

Typically ldap takes a bit more time to setup initially but once its running and you have your applications authenticating off of it you gain that time back in ease of maintenance.

Most services now can authenticate off of ldap directly or by and by off of pam/nss which can authenticate off of ldap.

Another advantage if you've got some in house programmers is that you can even modify most cms packages to authenticate off ldap relatively easily... and some cms/portals already have authentication through ldap built in.

Right, but what I'm really looking for is the ability to sign-on once. Not to use the same password. We have a one-time password system. I would like to be able to login centrally to a web-interface and not be prompted for a password for SSH. Seems unlikely, the more I think about it.

chort 03-06-2009 08:38 PM

You can integrate SSO with a lot of applications, but you'd need to write support into OpenSSH to do this. I highly doubt it's possible with the current code. As you said, SSO is generally implemented with cookies.

billymayday 03-06-2009 08:44 PM

Here's an SSH howto http://www.linuxquestions.org/blog/s...ver-setup-919/


All times are GMT -5. The time now is 03:36 PM.