LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 07-29-2014, 03:41 AM   #91
PrinceCruise
Member
 
Registered: Aug 2009
Location: /Universe/Earth/India/Pune
Distribution: Slackware64 -Current
Posts: 890

Rep: Reputation: 185Reputation: 185

Quote:
Originally Posted by kikinovak View Post
1. Setup centralized authentication using LDAP and NFS on a Slackware server and Slackware clients.

2. Write a detailed step-by-step documentation about the process.

3. Publish it on http://docs.slackware.com.

4. Eventually, maintain all the core packages that have to be rebuilt in the process.
This should actually be a good exercise for learners like me. It's rainy season here, no outings for next month or so, so I think I can grok some basics of it. *thumbs up*

Regards.
 
Old 07-29-2014, 04:10 AM   #92
genss
Member
 
Registered: Nov 2013
Posts: 740

Rep: Reputation: Disabled
Quote:
Originally Posted by Slax-Dude View Post
That is the point of PAM: to make authentication modular, so you don't have to use just one standard.
This way, you can use ldap, kerberos, etc...
You can even use the good old reliable linux flat files (shadow, passwd, group).

Just imagine having 50 computers.
Now imagine that every user should be able to work on any one of them.
To do this, you can:
a) replicate passwd, shadow, group to every one of those computers... every time a user is created or changes their password...
thinking about it for 5min actually yes, in a way

i would have on my computer a list consisting of computer names paired with a root/admin password that was generated by /dev/random
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it

that way there would be no logical inconsistencies and as a bonus other things like upgrading software could be automatized yet secure
and no dependencies on a central authority that could go bonkers

ofc i would make it so it reports unexpected behavior that would require hands on investigating
and the admin passwords would be changed every month or two (time would be calculated by how long it takes for a big data center to crack a shadow file)

from what i know, and that is not much, PAM is required in the enterprise for window server things
 
Old 07-29-2014, 04:33 AM   #93
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 5,476

Rep: Reputation: Disabled
Quote:
Originally Posted by genss View Post
when someone wanted to change their password they would have to contact me
they usually call all together when you're on holiday lying on a beach...
 
1 members found this post helpful.
Old 07-29-2014, 05:31 AM   #94
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.2
Posts: 7,810
Blog Entries: 58

Rep: Reputation: Disabled
She's causing a lot of trouble, this PAM. Wouldn't be surprised if she was related to Harry Potter...no, Lenny Potter...Poetter...whateverhisnameis.
 
1 members found this post helpful.
Old 07-29-2014, 05:35 AM   #95
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,497
Blog Entries: 14

Rep: Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328
Quote:
Originally Posted by genss View Post
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
Homespun Heath Robinson solutions like that are all well and good until a random set of 300 of your 5000 hosts are either down or uncontactable at the point in time when you want to do the change. Then you're left with a "this random set of changes still need doing" problem to manage. When you get a bunch of these incomplete changes build up, each with their own random set of hosts, it gets messy keeping track of it all.

While there are products out there to allow you to robustly manage change deployment over a wide installation base (and to be honest its not that hard to write one yourself - I've never understood why people spend thousands of pounds licensing them from the likes of IBM), user authentication is probably best left to centralised systems such as NIS, kerberos, LDAP etc that were created specifically to address the issues at hand.
 
Old 07-29-2014, 05:49 AM   #96
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,497
Blog Entries: 14

Rep: Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328Reputation: 3328
Quote:
Originally Posted by brianL View Post
She's causing a lot of trouble, this PAM. Wouldn't be surprised if she was related to Harry Potter...no, Lenny Potter...Poetter...whateverhisnameis.
Beatrix?

There's really only one question:
Is there sufficient need/demand from slackware users to warrant inclusion of PAM in stock Slackware? There is clearly some, but probably not that much. Whether there is "sufficient" is a question for Pat and the Slackware team. The rest of this thread is just noise(*).


(*) WTH happened to this forum?
 
2 members found this post helpful.
Old 07-29-2014, 06:11 AM   #97
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.2
Posts: 7,810
Blog Entries: 58

Rep: Reputation: Disabled
Quote:
Originally Posted by GazL View Post
Beatrix?
Another one? Triplets? PAM, su, and Beatrix? "Bob" help us!

Quote:
Originally Posted by GazL View Post
There's really only one question:
Is there sufficient need/demand from slackware users to warrant inclusion of PAM in stock Slackware?
Seems to depend on what the users are using Slackware for. For me, it's a hobby, I'm sole user of my computers, so I don't believe I need it or that I'd find it useful. But if some users need it, OK. Maybe stick it in /extra? I'll let our BDFL decide.
 
Old 07-29-2014, 06:16 AM   #98
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian, Slackware64-current
Posts: 500

Rep: Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830
Quote:
Originally Posted by genss View Post
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it

that way there would be no logical inconsistencies

from what i know, and that is not much, PAM is required in the enterprise for window server things
You made my day ))))
 
Old 07-29-2014, 06:29 AM   #99
genss
Member
 
Registered: Nov 2013
Posts: 740

Rep: Reputation: Disabled
Quote:
Originally Posted by GazL View Post
Homespun Heath Robinson solutions like that are all well and good until a random set of 300 of your 5000 hosts are either down or uncontactable at the point in time when you want to do the change. Then you're left with a "this random set of changes still need doing" problem to manage. When you get a bunch of these incomplete changes build up, each with their own random set of hosts, it gets messy keeping track of it all.

While there are products out there to allow you to robustly manage change deployment over a wide installation base (and to be honest its not that hard to write one yourself - I've never understood why people spend thousands of pounds licensing them from the likes of IBM), user authentication is probably best left to centralised systems such as NIS, kerberos, LDAP etc that were created specifically to address the issues at hand.
sure, you could idk ping them every 5min or something

thinking another 5min on this, a theoretical situation

lets say workstation A can ping B but can not contact the auth server while B can
changing a password would work on B so A <-> B communicating would break

in the case of PAM it would not work either since they bout need to contact the central authority (when connecting i guess)

but in the case of normal use with the password staying the same A could contact B since it does not have to contact a server that might be across the world

and ye, from what i know it wouldn't be so hard to write your own protocol using just some encryption library and sockets
 
Old 07-29-2014, 06:53 AM   #100
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 440

Rep: Reputation: 197Reputation: 197
Quote:
Originally Posted by genss View Post
thinking about it for 5min actually yes, in a way

i would have on my computer a list consisting of computer names paired with a root/admin password that was generated by /dev/random
when someone wanted to change their password they would have to contact me and i would start a script that would ssh into every one of those computers and change it
So, they would have to tell you their password, so that you could ssh into all the computers and change it...
Yes, I see that is way better and more secure.
I think you need more than 5min to think of a better solution to this problem

Quote:
Originally Posted by genss View Post
and no dependencies on a central authority that could go bonkers
Sure, let's replace that dependency with you.
Humans are way more reliable and error free than computers anyway.
Congrats, you are now the single point of failure. I hope you will be all right, for the company's sake.

Quote:
Originally Posted by genss View Post
ofc i would make it so it reports unexpected behavior that would require hands on investigating
and the admin passwords would be changed every month or two (time would be calculated by how long it takes for a big data center to crack a shadow file)
Since the passwords will have to be communicated to you in clear text, the time to crack would be reduced to 0.000000000001 seconds.

Quote:
Originally Posted by genss View Post
from what i know, and that is not much, PAM is required in the enterprise for window server things
You urgently need to up your google skills and read more.
 
Old 07-29-2014, 08:05 AM   #101
Arkerless
Member
 
Registered: Mar 2006
Distribution: Give me Slack or give me death.
Posts: 81

Rep: Reputation: 60
Quote:
Originally Posted by Slax-Dude View Post
That is the point of PAM: to make authentication modular, so you don't have to use just one standard.
This way, you can use ldap, kerberos, etc...
You can even use the good old reliable linux flat files (shadow, passwd, group).[/quote\

Just imagine having 50 computers.
Now imagine that every user should be able to work on any one of them.
To do this, you can:
a) replicate passwd, shadow, group to every one of those computers... every time a user is created or changes their password...
b) have some sort of central authentication scheme that the 50 computers use.

If you are a sysadmin that has to deal with that, you will probably chose b)
Now imagine 500 or 5000 computers... b) will look even more attractive
Most of this I completely agree with. But I have a few counterpoints.

1) Having a large number of computers that all need to be accessed with the same accounts is probably not the way that most people use slack. So for the most common use case, PAM is simply adding a superfluous abstraction level on top of the unix login system that is actually to be used. Cutting corners for convenience like that can make perfect sense in an application but not for a critical system component everything else is relying on, where an exploit OR a bug could have catastrophic implications.

2) For the case where you DO have need for a central auth scheme, my instinct would be to pick ONE and install it in the simplest and most robust configuration possible, not to add multiple systems and a whole new abstraction layer to access them through.

Quote:
Ser Olmy explained it best in this post: http://www.linuxquestions.org/questi...ml#post5209961
I think your link is borken.
 
Old 07-29-2014, 08:08 AM   #102
genss
Member
 
Registered: Nov 2013
Posts: 740

Rep: Reputation: Disabled
Quote:
Originally Posted by Slax-Dude View Post
So, they would have to tell you their password, so that you could ssh into all the computers and change it...
Yes, I see that is way better and more secure.
I think you need more than 5min to think of a better solution to this problem

Sure, let's replace that dependency with you.
Humans are way more reliable and error free than computers anyway.
Congrats, you are now the single point of failure. I hope you will be all right, for the company's sake.

Since the passwords will have to be communicated to you in clear text, the time to crack would be reduced to 0.000000000001 seconds.

You urgently need to up your google skills and read more.
wow
how about you take more then 10sec of thinking before being smart

like that that it is just a protocol
that could be done in a small binary
that could send a line like "pswdchng: username oldpass newpass newpass"
a line that would be encrypted ofc
and so on and so forth
but first you would have to use a brain to understand theory from practice

in no post on this topic have i claimed to know it all, even less to know it perfectly
so what is the cause of this looking down on a thought ?

to be a smartypants, a question; how would some one read that hypothetical clear text that was sent to me ?

Last edited by genss; 07-29-2014 at 08:14 AM. Reason: added name
 
Old 07-29-2014, 08:30 AM   #103
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 440

Rep: Reputation: 197Reputation: 197
Quote:
Originally Posted by Arkerless View Post
1) Having a large number of computers that all need to be accessed with the same accounts is probably not the way that most people use slack.
Well, if Slackware were to be used in enterprise I'd assume the number of users would go up a fair bit.
So, it would probably be the way most people would use slack
But, for the present, I concede that you are correct: slackware is mostly used by hobbyists that don't need a central authentication service.
I just think that "it has always been this way" is not a valid argument for not making changes.

Quote:
Originally Posted by Arkerless View Post
So for the most common use case, PAM is simply adding a superfluous abstraction level on top of the unix login system that is actually to be used. Cutting corners for convenience like that can make perfect sense in an application but not for a critical system component everything else is relying on, where an exploit OR a bug could have catastrophic implications.
Do you propose that we stop using databases for critical stuff?
Are you saying that the whole server/client architecture is flawed, or just in this one use case?

Quote:
Originally Posted by Arkerless View Post
2) For the case where you DO have need for a central auth scheme, my instinct would be to pick ONE and install it in the simplest and most robust configuration possible, not to add multiple systems and a whole new abstraction layer to access them through.
I would also pick one and go with simplest and most robust.
The problem is that the best one today may not be the best one tomorrow...
Should we keep changing core packages to add support for the next_best_auth_scheme_NG every few years?
You will find that this abstraction layer is not so superfluous if you plan for further than tomorrow.

Quote:
Originally Posted by Arkerless View Post
I think your link is borken.
Did you try clicking on it?
 
Old 07-29-2014, 08:39 AM   #104
Richard Cranium
Senior Member
 
Registered: Apr 2009
Location: Carrollton, Texas
Distribution: Slackware64 14.2
Posts: 3,697

Rep: Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036Reputation: 2036
Quote:
Originally Posted by kikinovak View Post
I'll take you at your word, then. Here's a specific task for you, Reaper X7.

1. Setup centralized authentication using LDAP and NFS on a Slackware server and Slackware clients.

2. Write a detailed step-by-step documentation about the process.

3. Publish it on http://docs.slackware.com.

4. Eventually, maintain all the core packages that have to be rebuilt in the process.

Thanks in advance,

Niki
http://englanders.us/~jason/howtos.php?howto=openldap appears to have written step-by-step documentation on centralized authentication using LDAP. I'm trying it on a couple of test machines.

You're going to have to explain why you think that LDAP requires NFS.
 
Old 07-29-2014, 08:48 AM   #105
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 5,476

Rep: Reputation: Disabled
I think Niki cited NFS as an example of per-user storage (for $HOME and/or whatever else) usable by the users on the hosts on which they authenticate with LDAP.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM and Slackware 10.2 darkarcon2015 Slackware 15 10-20-2007 02:32 PM
PAM Available For Slackware 10.0 eric.r.turner Slackware 14 09-22-2006 12:08 PM
PAM for my Slackware rmg Linux - Newbie 3 04-06-2006 01:10 PM
does slackware 10 support PAM? joroxx Slackware - Installation 2 11-16-2004 12:06 AM
pam mount in slackware 10 qwijibow Linux - Software 1 08-06-2004 08:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration