OpenLDAP and Kerberos questions
Hi all,
I recently decided it would be a good thing to centralize all of the
user information and authentication on my network. After some reading I
found that Kerberos will provide me th necessary secure authentication
scheme, and OpenLDAP should provide me the user information DB. Both
appear to have available PAM modules, but I lack the foresight on how to
proceed. Here is my theory and how I want to set it up:
Users are allowed to login using ssh or local login via virtual
terminal or WDM. I am using the default WDM and Xauth setup currently
in Debian. Correct me if I am wrong, but the current version of X uses
Xauth by default. So far this has proven secure. Telnet and rlogin are
explicitly disallowed.
To accomplish this I would like login to use Kerberos for authentication
first with unix login as a fall back. The auth lines in /etc/pam.d/login
could be like the following:
auth required pam_nologin.so
auth sufficient pam_krb5.so
auth required pam_unix.so
Theoretically this will allow Kerberos to authenticate the user and if
failed pass authentication to local unix authentication. Since Kerberos
only provides authentication, I have to use another method to set up the
account information for the user. This is where I would like to use
OpenLDAP so I can centrally manage user account information. So I think
the following account lines would be needed for setting up user account
info using LDAP:
account sufficient pam_ldap.so
account required pam_unix.so
Again this should use LDAP first and fall back to local unix if needed.
Ideally this would be all I need to do. However since we used Kerberos
above, I think I would have to use the following as well for the
password and session sections;
password sufficient pam_kerb5.so
password required pam_unix.so
session required pam_kerb5.so
session required pam_unix.so
Should use Kerberos password to allow password changes by the user and
the session one maintains the session key until logout. (I read
something on this but cannot find it now. So I could be very wrong.)
They both have the usual fall back to pam_unix.so.
So all of that is essentially theory and I was wondering if anyone has
any suggestions. Especially the existing OpenLDAP and Kerberos
maintainers. Steve Langasek, you seem to have written a pam module
before, any suggestions?
For the curious, I have read up on this. I am simply not very confident
of my understanding. Any help would be great. Please reply to me
directly or CC me. I am not subscribed to the list. (Wasn't there a
thing on how to handle this in mutt recently....)
Thanks,
Matthew P. McGuire
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Matthew P. McGuire <gray@shadowglade.net> 1024D/E21C0E88
CB82 7859 26B2 95E3 1328 5198 D57A D072 E21C 0E88
When choice matters, choose Debian.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reply to: