|
Centralized user management without PAM
Hello,
I would like to know if there are any solutions on a centralized user management in Slackware like LDAP, but without the requirement of PAM, as this is not included in Slackware. What I want to achieve is a setup, where users can change from one Desktop to another, using the same login/pw combination on any machine without the need to setup the account on every computer. Basically just like an Active Directory. Would Samba work with that? A quick online search gave me the impression, that it also needs PAM to work properly. Regards, jhw |
it's not that LDAP needs PAM, it's that without a stack to route authentication requests through, there's no opportunity to use sources other than local files. so other mechanisms are also not possible... samba, Kerberos etc. It's perfectly possible to install PAM onto Slackware though, there appear to be unoffical builds around for it.
Looking around, this very thread is already the best result online for most suitable sounding searches on Google, which is pretty depressing! Outside of that, there are lots of people who seem to have reverse engineered their personal beliefs about good security practice around what their distro of choice lets them do. |
You might check out this Howto
From the Slackware Documentation Project
Roaming profiles with NFS and NIS http://docs.slackware.com/howtos:net...aming_profiles |
Yeah, good point that NIS will work, but it'll only work because it's utterly awful. You basically pull the passwords for all users from a remote server and stick them on the end of the shadow file (not the actual file, but almost. Horrible and not recommended for security just about ever. NIS is obsolete for a reason. Well, lots of reasons. :)
|
The Slackware developer vbatts has PAM stuff ready for Slackware here:
http://www.slackware.com/~vbatts/pam/ Feel free to use it to install PAM to get everything else you need. :) |
I understand NIS has some insecurities but doesn't LDAP without PAM for User Authentication using nss_ldap, have similar insecurities? You have to use LDAP server to allow anonymous read of userPassword, and allow the same hashing as the passwd file on the local machine.
Maybe I'm wrong on this |
Its entirely possible to replace the login, and ssh programs with kerberized versions. There are slackbuilds at slackbuilds.org that make building the mit kerberos package and rebuilding sshd pretty simple. Many things like proftpd and openldap are a few ./configure options in Pat's existing slackbuild after you have kerberos installed from being able to use it as an authentication mechanism.
You can even join an Active Directory domain without PAM or Samba (I'd strongly recommend you *do* use Samba after a rbuild with the kerberos packages installed will save lots of headache), and get along pretty well. Most of this information is available searching this site. What I have not found actually is a X login manager that does not need PAM to authenticate with kerberos or password ldap bind. |
I have a kerberos based login manager... but it is old (a bit over 5 years) - based on xdm, but with the login widgets completely replaced. It also supports password changing (expired passwords), and a security text message shown before users login.
Configuration is manual, and, as with any kerberos login, requires a host keytab (and for those that don't know, that is so the system can verify the KDC used with the users password). Among the limitations, it uses its own widget set rather than something fancy. |
jpollard,
That sounds interesting, got a link? Samba can be configured to use a dedicated keytab, so that should actually integrate quite nicely. |
kxdm
Quote:
There are two versions here - kxdm and kxdm.2. I don't remember if kxdm.2 was fully debugged though. There is also a xdmwidgets and xdmwidgets.doc tree. This is the tiny toolkit I made for this (the scrollbars are not the best, and doesn't support cut/paste - deliberately). The major requirement was not to use "standard" toolkits as they aren't really standard. The kxdm server was running on Solaris, AIX, and Linux, and used only what was in the base X11 libraries. I seem to remember also being directed to remove xdmcp capability as that has no security whatsoever (it exposes the kerberos passwords). With a suitable Kerberos library it can even handle SecurID/CryptoCard one time passcodes. No guarantees on full functionality with current X libraries. I developed it using the xnest X server so I could run it in a X window. Good luck. Unfortunately, it is too large to upload. There are several images used in the documentation to explain the setup, pointing out items referenced in the documentation. |
Quote:
|
Quote:
Is this not correct? Is there someway of using LDAP without PAM, and not using a full kerberos setup as mentioned by chemfire, that would allow you to bind without a pam login? I was also looking, like the OP for a centralized user management, what I found 1) unmodified slackware: Use NIS or LDAP, both are insecure, NIS somewhat inherently, LDAP because of lack of PAM, NIS seems to be the simpler of the two solutions. 2) modify slackware with PAM: LDAP is now secure, one can also add in kerberos and use it with PAM and LDAP. NIS still insecure with PAM, if kerberos added maybe secure? Samba4 AD can be used must install kerberos, also secure. This requires installing PAM and rebuilding anything that you want to use PAM with. 3) modify slackware to use Kerberos without PAM: LDAP doesn't store passwords, passes to Kerberos, this is also secure. NIS doesn't store passwords, passes to Kerberos, not sure if this is secure? Samba4 AD can be used, also secure. This requires installing kerberos and rebuilding things that need to use kerberos, no X login manager readily available. Is this correct? |
| All times are GMT -5. The time now is 01:14 AM. |