[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos for Debian Edu/Squeeze?

El mié, 14-04-2010 a las 17:22 +0200, Petter Reinholdtsen escribió:
> Yesterdays NUUG presentation[1] about Kerberos was inspiring, and
> reminded me about the need to start using Kerberos in
> Skolelinux. Setting up a Kerberos server seem to be straight forward,
> and if we get this in place a long time before the Squeeze version of
> Debian freezes, we have a chance to migrate Skolelinux away from NFSv3
> for the home directories, and over to an architecture where the
> infrastructure do not have to trust IP addresses and machines, and
> instead can trust users and cryptographic keys instead.
>  1 http://www.nuug.no/aktiviteter/20100413-kerberos/
> A challenge will be integration and administration. Is there a
> Kerberos implementation for Debian where one can control the
> administration access in Kerberos using LDAP groups? With it, the
> school administration will have to maintain access control using flat
> files on the main server, which give a huge potential for errors.
> A related question I would like to know is how well Kerberos and
> pam-ccreds (offline password check) work together. Anyone know?
> Next step will be to use Kerberos for access control in Lwat and
> Nagios. I have no idea how much work that will be to implement. We
> would also need to document how to integrate with Windows AD, as such
> shared network will require two Kerberos realms that need to cooperate
> to work properly.
> I believe a good start would be to start using Kerberos on the
> skolelinux.no machines, and this way get ourselves experience with
> configuration and integration. A natural starting point would be
> setting up ldap.skolelinux.no as the Kerberos server, and migrate the
> rest of the machines from PAM via LDAP to PAM via Kerberos one at the
> time.
> If you would like to contribute to get this working in Skolelinux, I
> recommend you to see the video recording from yesterdays NUUG
> presentation, and start using Kerberos at home. The video show show up
> in a few days.

Another step I'd like to add is having freeradius support to this
implementation. Laptops are arriving (usually as netbooks) to the
schools and freeradius seems to be the safest way to add them to the
school network via wireless. There are a freeradius-krb5 and a
freeradius-ldap packages in Debian, so it should be an accesible step.

José L.

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente

Reply to: