LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Slackware (http://www.linuxquestions.org/questions/forumdisplay.php?f=14)
-   -   Centralized user management without PAM (http://www.linuxquestions.org/questions/showthread.php?t=4175444955)

jhw 01-10-2013 04:05 AM

Centralized user management without PAM
 
Hello,

I would like to know if there are any solutions on a centralized user management in Slackware like LDAP, but without the requirement of PAM, as this is not included in Slackware.

What I want to achieve is a setup, where users can change from one Desktop to another, using the same login/pw combination on any machine without the need to setup the account on every computer. Basically just like an Active Directory.

Would Samba work with that? A quick online search gave me the impression, that it also needs PAM to work properly.


Regards,
jhw

acid_kewpie 01-10-2013 09:31 AM

it's not that LDAP needs PAM, it's that without a stack to route authentication requests through, there's no opportunity to use sources other than local files. so other mechanisms are also not possible... samba, Kerberos etc. It's perfectly possible to install PAM onto Slackware though, there appear to be unoffical builds around for it.

Looking around, this very thread is already the best result online for most suitable sounding searches on Google, which is pretty depressing! Outside of that, there are lots of people who seem to have reverse engineered their personal beliefs about good security practice around what their distro of choice lets them do.

pataphysician 01-10-2013 10:12 AM

You might check out this Howto
 
From the Slackware Documentation Project

Roaming profiles with NFS and NIS
http://docs.slackware.com/howtos:net...aming_profiles

acid_kewpie 01-10-2013 10:19 AM

Yeah, good point that NIS will work, but it'll only work because it's utterly awful. You basically pull the passwords for all users from a remote server and stick them on the end of the shadow file (not the actual file, but almost. Horrible and not recommended for security just about ever. NIS is obsolete for a reason. Well, lots of reasons. :)

TommyC7 01-10-2013 03:15 PM

The Slackware developer vbatts has PAM stuff ready for Slackware here:
http://www.slackware.com/~vbatts/pam/

Feel free to use it to install PAM to get everything else you need. :)

pataphysician 01-10-2013 03:41 PM

I understand NIS has some insecurities but doesn't LDAP without PAM for User Authentication using nss_ldap, have similar insecurities? You have to use LDAP server to allow anonymous read of userPassword, and allow the same hashing as the passwd file on the local machine.

Maybe I'm wrong on this

chemfire 01-10-2013 03:48 PM

Its entirely possible to replace the login, and ssh programs with kerberized versions. There are slackbuilds at slackbuilds.org that make building the mit kerberos package and rebuilding sshd pretty simple. Many things like proftpd and openldap are a few ./configure options in Pat's existing slackbuild after you have kerberos installed from being able to use it as an authentication mechanism.

You can even join an Active Directory domain without PAM or Samba (I'd strongly recommend you *do* use Samba after a rbuild with the kerberos packages installed will save lots of headache), and get along pretty well. Most of this information is available searching this site. What I have not found actually is a X login manager that does not need PAM to authenticate with kerberos or password ldap bind.

jpollard 01-13-2013 07:43 AM

I have a kerberos based login manager... but it is old (a bit over 5 years) - based on xdm, but with the login widgets completely replaced. It also supports password changing (expired passwords), and a security text message shown before users login.

Configuration is manual, and, as with any kerberos login, requires a host keytab (and for those that don't know, that is so the system can verify the KDC used with the users password).

Among the limitations, it uses its own widget set rather than something fancy.

chemfire 01-13-2013 12:04 PM

jpollard,

That sounds interesting, got a link? Samba can be configured to use a dedicated keytab, so that should actually integrate quite nicely.

jpollard 01-14-2013 03:38 AM

kxdm
 
Quote:

Originally Posted by chemfire (Post 4869091)
jpollard,

That sounds interesting, got a link? Samba can be configured to use a dedicated keytab, so that should actually integrate quite nicely.

no link, but I have tried to attach the compressed tar file.

There are two versions here - kxdm and kxdm.2. I don't remember if kxdm.2 was fully debugged though.

There is also a xdmwidgets and xdmwidgets.doc tree. This is the tiny toolkit I made for this (the scrollbars are not the best, and doesn't support cut/paste - deliberately). The major requirement was not to use "standard" toolkits as they aren't really standard. The kxdm server was running on Solaris, AIX, and Linux, and used only what was in the base X11 libraries. I seem to remember also being directed to remove xdmcp capability as that has no security whatsoever (it exposes the kerberos passwords). With a suitable Kerberos library it can even handle SecurID/CryptoCard one time passcodes.

No guarantees on full functionality with current X libraries. I developed it using the xnest X server so I could run it in a X window.

Good luck.

Unfortunately, it is too large to upload. There are several images used in the documentation to explain the setup, pointing out items referenced in the documentation.

acid_kewpie 01-14-2013 03:47 AM

Quote:

Originally Posted by pataphysician (Post 4867302)
I understand NIS has some insecurities but doesn't LDAP without PAM for User Authentication using nss_ldap, have similar insecurities? You have to use LDAP server to allow anonymous read of userPassword, and allow the same hashing as the passwd file on the local machine.

Maybe I'm wrong on this

Anonymous read of the userpassword? No, only if you're sourcing shadow data from it. Instead the pam login will attempt to bind to the ldap server with the users credentials. So the password never leaves the central server in any form, it's implicit that if you can successfully bind to the server with the provided credentials, the password must be correc.t It's never actually "checked" in the login at all, just used.

pataphysician 01-14-2013 07:40 AM

Quote:

Originally Posted by acid_kewpie (Post 4869520)
Anonymous read of the userpassword? No, only if you're sourcing shadow data from it. Instead the pam login will attempt to bind to the ldap server with the users credentials. So the password never leaves the central server in any form, it's implicit that if you can successfully bind to the server with the provided credentials, the password must be correc.t It's never actually "checked" in the login at all, just used.

But as I stated, I was talking about LDAP without using PAM. Sure LDAP with PAM is fine, no need for allowing Anonymous reads, because as you say "the pam login will attempt to bind the ldap server". But without PAM you can't bind, and you have to use nss_ldap, which is more for just reading the database, so your stuck with sourcing shadow data from it.

Is this not correct? Is there someway of using LDAP without PAM, and not using a full kerberos setup as mentioned by chemfire, that would allow you to bind without a pam login?

I was also looking, like the OP for a centralized user management, what I found

1) unmodified slackware: Use NIS or LDAP, both are insecure, NIS somewhat inherently, LDAP because of lack of PAM, NIS seems to be the simpler of the two solutions.

2) modify slackware with PAM: LDAP is now secure, one can also add in kerberos and use it with PAM and LDAP. NIS still insecure with PAM, if kerberos added maybe secure? Samba4 AD can be used must install kerberos, also secure. This requires installing PAM and rebuilding anything that you want to use PAM with.

3) modify slackware to use Kerberos without PAM: LDAP doesn't store passwords, passes to Kerberos, this is also secure. NIS doesn't store passwords, passes to Kerberos, not sure if this is secure? Samba4 AD can be used, also secure. This requires installing kerberos and rebuilding things that need to use kerberos, no X login manager readily available.

Is this correct?


All times are GMT -5. The time now is 07:01 AM.