LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-10-2013, 04:05 AM   #1
jhw
Member
 
Registered: Apr 2010
Posts: 81

Rep: Reputation: 32
Centralized user management without PAM


Hello,

I would like to know if there are any solutions on a centralized user management in Slackware like LDAP, but without the requirement of PAM, as this is not included in Slackware.

What I want to achieve is a setup, where users can change from one Desktop to another, using the same login/pw combination on any machine without the need to setup the account on every computer. Basically just like an Active Directory.

Would Samba work with that? A quick online search gave me the impression, that it also needs PAM to work properly.


Regards,
jhw

Last edited by jhw; 01-10-2013 at 04:11 AM.
 
Old 01-10-2013, 09:31 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
it's not that LDAP needs PAM, it's that without a stack to route authentication requests through, there's no opportunity to use sources other than local files. so other mechanisms are also not possible... samba, Kerberos etc. It's perfectly possible to install PAM onto Slackware though, there appear to be unoffical builds around for it.

Looking around, this very thread is already the best result online for most suitable sounding searches on Google, which is pretty depressing! Outside of that, there are lots of people who seem to have reverse engineered their personal beliefs about good security practice around what their distro of choice lets them do.
 
1 members found this post helpful.
Old 01-10-2013, 10:12 AM   #3
pataphysician
Member
 
Registered: Oct 2012
Posts: 41

Rep: Reputation: Disabled
You might check out this Howto

From the Slackware Documentation Project

Roaming profiles with NFS and NIS
http://docs.slackware.com/howtos:net...aming_profiles
 
Old 01-10-2013, 10:19 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Yeah, good point that NIS will work, but it'll only work because it's utterly awful. You basically pull the passwords for all users from a remote server and stick them on the end of the shadow file (not the actual file, but almost. Horrible and not recommended for security just about ever. NIS is obsolete for a reason. Well, lots of reasons.
 
Old 01-10-2013, 03:15 PM   #5
TommyC7
Member
 
Registered: Mar 2012
Distribution: Slackware, CentOS, OpenBSD, FreeBSD
Posts: 435

Rep: Reputation: Disabled
The Slackware developer vbatts has PAM stuff ready for Slackware here:
http://www.slackware.com/~vbatts/pam/

Feel free to use it to install PAM to get everything else you need.
 
Old 01-10-2013, 03:41 PM   #6
pataphysician
Member
 
Registered: Oct 2012
Posts: 41

Rep: Reputation: Disabled
I understand NIS has some insecurities but doesn't LDAP without PAM for User Authentication using nss_ldap, have similar insecurities? You have to use LDAP server to allow anonymous read of userPassword, and allow the same hashing as the passwd file on the local machine.

Maybe I'm wrong on this
 
Old 01-10-2013, 03:48 PM   #7
chemfire
Member
 
Registered: Sep 2012
Posts: 69

Rep: Reputation: Disabled
Its entirely possible to replace the login, and ssh programs with kerberized versions. There are slackbuilds at slackbuilds.org that make building the mit kerberos package and rebuilding sshd pretty simple. Many things like proftpd and openldap are a few ./configure options in Pat's existing slackbuild after you have kerberos installed from being able to use it as an authentication mechanism.

You can even join an Active Directory domain without PAM or Samba (I'd strongly recommend you *do* use Samba after a rbuild with the kerberos packages installed will save lots of headache), and get along pretty well. Most of this information is available searching this site. What I have not found actually is a X login manager that does not need PAM to authenticate with kerberos or password ldap bind.
 
1 members found this post helpful.
Old 01-13-2013, 07:43 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,039

Rep: Reputation: 520Reputation: 520Reputation: 520Reputation: 520Reputation: 520Reputation: 520
I have a kerberos based login manager... but it is old (a bit over 5 years) - based on xdm, but with the login widgets completely replaced. It also supports password changing (expired passwords), and a security text message shown before users login.

Configuration is manual, and, as with any kerberos login, requires a host keytab (and for those that don't know, that is so the system can verify the KDC used with the users password).

Among the limitations, it uses its own widget set rather than something fancy.
 
Old 01-13-2013, 12:04 PM   #9
chemfire
Member
 
Registered: Sep 2012
Posts: 69

Rep: Reputation: Disabled
jpollard,

That sounds interesting, got a link? Samba can be configured to use a dedicated keytab, so that should actually integrate quite nicely.
 
Old 01-14-2013, 03:38 AM   #10
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,039

Rep: Reputation: 520Reputation: 520Reputation: 520Reputation: 520Reputation: 520Reputation: 520
kxdm

Quote:
Originally Posted by chemfire View Post
jpollard,

That sounds interesting, got a link? Samba can be configured to use a dedicated keytab, so that should actually integrate quite nicely.
no link, but I have tried to attach the compressed tar file.

There are two versions here - kxdm and kxdm.2. I don't remember if kxdm.2 was fully debugged though.

There is also a xdmwidgets and xdmwidgets.doc tree. This is the tiny toolkit I made for this (the scrollbars are not the best, and doesn't support cut/paste - deliberately). The major requirement was not to use "standard" toolkits as they aren't really standard. The kxdm server was running on Solaris, AIX, and Linux, and used only what was in the base X11 libraries. I seem to remember also being directed to remove xdmcp capability as that has no security whatsoever (it exposes the kerberos passwords). With a suitable Kerberos library it can even handle SecurID/CryptoCard one time passcodes.

No guarantees on full functionality with current X libraries. I developed it using the xnest X server so I could run it in a X window.

Good luck.

Unfortunately, it is too large to upload. There are several images used in the documentation to explain the setup, pointing out items referenced in the documentation.

Last edited by jpollard; 01-14-2013 at 03:56 AM.
 
Old 01-14-2013, 03:47 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by pataphysician View Post
I understand NIS has some insecurities but doesn't LDAP without PAM for User Authentication using nss_ldap, have similar insecurities? You have to use LDAP server to allow anonymous read of userPassword, and allow the same hashing as the passwd file on the local machine.

Maybe I'm wrong on this
Anonymous read of the userpassword? No, only if you're sourcing shadow data from it. Instead the pam login will attempt to bind to the ldap server with the users credentials. So the password never leaves the central server in any form, it's implicit that if you can successfully bind to the server with the provided credentials, the password must be correc.t It's never actually "checked" in the login at all, just used.
 
Old 01-14-2013, 07:40 AM   #12
pataphysician
Member
 
Registered: Oct 2012
Posts: 41

Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
Anonymous read of the userpassword? No, only if you're sourcing shadow data from it. Instead the pam login will attempt to bind to the ldap server with the users credentials. So the password never leaves the central server in any form, it's implicit that if you can successfully bind to the server with the provided credentials, the password must be correc.t It's never actually "checked" in the login at all, just used.
But as I stated, I was talking about LDAP without using PAM. Sure LDAP with PAM is fine, no need for allowing Anonymous reads, because as you say "the pam login will attempt to bind the ldap server". But without PAM you can't bind, and you have to use nss_ldap, which is more for just reading the database, so your stuck with sourcing shadow data from it.

Is this not correct? Is there someway of using LDAP without PAM, and not using a full kerberos setup as mentioned by chemfire, that would allow you to bind without a pam login?

I was also looking, like the OP for a centralized user management, what I found

1) unmodified slackware: Use NIS or LDAP, both are insecure, NIS somewhat inherently, LDAP because of lack of PAM, NIS seems to be the simpler of the two solutions.

2) modify slackware with PAM: LDAP is now secure, one can also add in kerberos and use it with PAM and LDAP. NIS still insecure with PAM, if kerberos added maybe secure? Samba4 AD can be used must install kerberos, also secure. This requires installing PAM and rebuilding anything that you want to use PAM with.

3) modify slackware to use Kerberos without PAM: LDAP doesn't store passwords, passes to Kerberos, this is also secure. NIS doesn't store passwords, passes to Kerberos, not sure if this is secure? Samba4 AD can be used, also secure. This requires installing kerberos and rebuilding things that need to use kerberos, no X login manager readily available.

Is this correct?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Want to set up a computer lab with centralized user management Zero Angel Linux - General 3 10-09-2011 07:58 PM
Centralized Management For Linux mattdyke Linux - Software 4 11-06-2009 01:21 PM
centralized logins without PAM or NIS eric_f Slackware 0 07-12-2008 12:14 AM
Centralized user management armandino Linux - General 4 07-01-2007 01:36 PM
Centralized user management armandino Linux - General 3 07-01-2007 10:19 AM


All times are GMT -5. The time now is 10:36 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration