LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-25-2011, 08:48 AM   #1
nass
Member
 
Registered: Apr 2006
Location: Athens, Greece
Distribution: slack(64|32)_v(13.37|14.0), debian6, ubuntu
Posts: 630

Rep: Reputation: 36
Questions about authenitcation/authorization server software


hello everyone,
i'm trying to piece things together as to what can be accomplished and how with the following software

passwd files
pam
nss
ldap
radius
kerberos
... anything else


I have learned some things by reading several tutorials/guides etcetc in the internet. but thy are still mixed in my head - correct me if i'm wrong:

- if using pam, you don't use the passwd file anylonger to check user credentials in a unix system anymore. Pam gives some authorization abilities as well (like user can be allowed to access ftp, but not get a logging shell)?
- nss is a db to store passwords and user info. ldap has same scope as nss. It can store passwords and other user info as well (like what?)
- kerberos can store passwords. As such it can also be used instead of passwd files. so a user accessing a unix machine through ssh (or locally) can be authenticated by kerberos instead of the local passwd file. pam isn't necessary (esp for the ssh case) but can it be the middle man? f.e ssh server tries to authenticate through pam and pam has a kerberos module installed? Overall it stores passwords on a separate machine and gives tickets to access other servers running other services (but how will the other servers understand these tickets? are the servers connected to the kerberos server too?
-Radius: I'm very mixed up with radius. its used by ISPs to allow users to dial in and authenticate. It provides authorization too . so can it be used instead of pam?

for example say I have some protected services to run: openvpn, ftp, some wifi network, samba, proxy server, ssh (to have users access some workstations and work on them - not administer them)..

how can it all be connected together? so that I create a user and decide what services they can access from a central point and do it only once?

I know that:

- pam can be connected to ldap, so ldap can do authentication. but who ends up doing authorization?
- openvpn can check passwords from pam
- say the wifi access point can validate users from a db (perhaps from a radius server???) and not just against a locally stored ssid passphrase.
- samba is probably able to check for passwords in a number of ways
-- f.e. through ldab and/or kerberos?
- ssh server. it can use local files and i've seen options for kerberos. but can it use pam?
- radius can connect to ldap too


is it possible to do something like that:

have passwords in kerberos or ldap (is mysql possible/useful/used too?),connect pam to ldap (through the ldap-pam module), and have all services check ldap or pam directly for passwords.
obviously local access to machines should still be available.
Can radius be used somewhere in line with the above? is there a reason to do that? For example allow user to run some services and not others?

wifi users : can they somehow be able to provide the same username/passwords to connect to corporate wifi network and have access to their samba shares as if their where sitting in their desktops in the office..?
The same users will connect through openvpn when they are away. is it possible for them to have access to their shares and other resources.

finally can i have something similar to samba's roaming profiles? basically can users use the same passwords whether they connect from a windows workstation, or a unix one, or from their personal laptops over the wifi, or from away through openvpn??? (and still only create the users once, in one database?

thank you for reading this long post
 
  


Reply

Tags
authentication, authorization, kerberos, ldap, radius


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Software Update authorization no longer valid after upgrading from Fedora 13 to 14 jviezel Linux - Newbie 5 06-08-2011 03:28 PM
Is there open source Linux time synchronized authorization software? abefroman Linux - Security 1 09-24-2009 10:56 PM
command line requires authorization with network server resnostyle Ubuntu 4 09-06-2006 09:12 PM
Questions about what software to use to install a mail+http server system. papitu76 General 1 01-10-2005 02:33 PM


All times are GMT -5. The time now is 09:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration