Kerberos for Debian Edu/Squeeze?
Yesterdays NUUG presentation[1] about Kerberos was inspiring, and
reminded me about the need to start using Kerberos in
Skolelinux. Setting up a Kerberos server seem to be straight forward,
and if we get this in place a long time before the Squeeze version of
Debian freezes, we have a chance to migrate Skolelinux away from NFSv3
for the home directories, and over to an architecture where the
infrastructure do not have to trust IP addresses and machines, and
instead can trust users and cryptographic keys instead.
1 http://www.nuug.no/aktiviteter/20100413-kerberos/
A challenge will be integration and administration. Is there a
Kerberos implementation for Debian where one can control the
administration access in Kerberos using LDAP groups? With it, the
school administration will have to maintain access control using flat
files on the main server, which give a huge potential for errors.
A related question I would like to know is how well Kerberos and
pam-ccreds (offline password check) work together. Anyone know?
Next step will be to use Kerberos for access control in Lwat and
Nagios. I have no idea how much work that will be to implement. We
would also need to document how to integrate with Windows AD, as such
shared network will require two Kerberos realms that need to cooperate
to work properly.
I believe a good start would be to start using Kerberos on the
skolelinux.no machines, and this way get ourselves experience with
configuration and integration. A natural starting point would be
setting up ldap.skolelinux.no as the Kerberos server, and migrate the
rest of the machines from PAM via LDAP to PAM via Kerberos one at the
time.
If you would like to contribute to get this working in Skolelinux, I
recommend you to see the video recording from yesterdays NUUG
presentation, and start using Kerberos at home. The video show show up
in a few days.
Happy hacking,
--
Petter Reinholdtsen
Reply to: