LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2014

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Sharing users among few hosts
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Mon, 17 Feb 2014 10:17:17 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

In order:

* Local accounts and passwords, managed by some central configuration
tool such as puppet or chef. Trade-offs include the security of the
central password management system, and access to local stored
passwords in /etc/shadow. Can be combined with SSH key deployment and
sudo configuration to provide quite a sophisticated setup for small
environments. Many, many, many tools exist for this, most of which
have deep flaws that may not affect your environment.

* NIS - old, stable, simple to set up, uses /etc/passwd and
/etc/shadow and /etc/group from central server to publish shared
configurations. Not well known for security, since for most setups
random clients can connect and pull encrypted password information.
Can be set up by untrained monkey, easily managed with "webmin". Used
in places where "we trust the people we work with", and " if we have
someone inside our network, we have much bigger problems" are used to
set security standards.

* NIS+ - Supposedly deals with a lot of the flaws of NIS. Never had a
chance to play with it, myself.

* LDAP - A gazillion distinct management and integration suites exist,
including AD integrated account management for Windows users as well
with many. One can create arbitrary new arrays of privilege and host
integration, most of which will wind up ignored in practice. But
straightforward registration of user accounts with uid, gid, home
directory, and password is pretty straightforward with even the
weirder suites. Typically relies on Kerberos for authentication, as
opposed to account management.

* Kerberos - Underlying authentication technology for most LDAP setups
and especially AD and modern Samba systems. It is extremely robust and
much safer than almost any other authentication technology for
externally exposed accounts. More sensitive to DNS misconfiguration
and NTP drift than other systems, but can provide authentication
without the peskines sof LDAP for systems like website logins and
centralized password management for accounts on local hosts.

Note also, for Scientific Linux and these systems, that the
configurations available from the built-in "authconfig" tool are not
all the options and tuning available. The Kerberos options, for
example, don[t have a way to *strip out* old domains or add multiple
domains in /etc/krb5.conf: Tools like webmin do, but themselves take
extra work and time to consider.

I also recommend that you spend some time and get DNS or locally
published /etc/hosts worked out so your hosts have consistent
hostnames and IP addresses. That helps a lot of things, like logging
connections among the hsots and dealing with changes in SSH keys being
misreported by renamed or re-IP-addressed hosts.

On Mon, Feb 17, 2014 at 9:39 AM, Jose Marques <[log in to unmask]> wrote:
>
> On 17 Feb 2014, at 14:19, Tam Nguyen <[log in to unmask]> wrote:
>
>> Btw, if security isn't your main concern, then have a look at NIS.
>
> In a previous job I used NIS in combination with Kerberos. No password data was stored in NIS so it removed some of the security issues.
>
> You can also use something like Puppet to centrally manage users.
>
> The University of St Andrews is a charity registered in Scotland, No. SC013532.
>

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV