David Z Maze wrote:
Benedict Verheyen <email@example.com> writes:Today i read that Slackware doesn't use PAM by default because of some of the leaks that pop up now and then. I was wondering what other type of authentications there are on Linux and how easy/difficult they are to set up.The basic answer here is pretty much either "PAM" or "not"; in the "not" case, individual programs generally ask for a password and verify it against what's in /etc/shadow.For instance, if i would now like to change the way users are authenticated, how would i do that.In Debian, you'd find a PAM module for the authentication method you cared about, install it, and put an appropriate reference in the appropriate /etc/pam.d file(s). Otherwise, "change the source".What methods are good for providing 1 central repository of authentication stuff os that you don't need to spread around passwords and thus end up with having to change several sources when a user is deleted for instance.I think both Kerberos and RADIUS are "single sign-on" protocols: when you log on you get some sort of authentication token, which you can use to talk to other services without typing a password. I know much more about Kerberos, so I'll talk about that. I think it should be possible using only what's included in Debian to assemble infrastructure that gets Kerberos tickets on login (via PAM), and then you have mail services (Kerberos/SASL IMAP), a filesystem (OpenAFS), and passwordless ssh (ssh-krb5). User passwords are only stored one place (the Kerberos KDC), and once they've logged in they never need to type their password again. Even given this, you still need some way of distributing the (public) information in /etc/passwd. I think LDAP is good for this.
Is it possible to use such an authentication scheme for NIS/Samba? I have 8 workstations (all running Sid) that connect to a Woody server which runs NIS/NFS/Samba. Sometimes the researchers like to bring in their laptops (which all run Windoze) and get at their homedirs. What I did was to manually enter each user into Samba and set them a different password. I looked into several possibilities (like using LDAP/MySQL as an authentication source for both), but none of those were particularly good or easy to setup. I wonder if this might be a possibility.
Description: PGP signature