[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pam and other authentication methods

David Z Maze wrote:
Benedict Verheyen <linux4bene@pandora.be> writes:

Today i read that Slackware doesn't use PAM by default because of
some of the leaks that pop up now and then. I was wondering what
other type of authentications there are on Linux and how
easy/difficult they are to set up.

The basic answer here is pretty much either "PAM" or "not"; in the
"not" case, individual programs generally ask for a password and
verify it against what's in /etc/shadow.

For instance, if i would now like to change the way users are
authenticated, how would i do that.

In Debian, you'd find a PAM module for the authentication method you
cared about, install it, and put an appropriate reference in the
appropriate /etc/pam.d file(s).  Otherwise, "change the source".

What methods are good for providing 1 central repository of
authentication stuff os that you don't need to spread around passwords
and thus end up with having to change several sources when a user is
deleted for instance.

I think both Kerberos and RADIUS are "single sign-on" protocols: when
you log on you get some sort of authentication token, which you can
use to talk to other services without typing a password.  I know much
more about Kerberos, so I'll talk about that.  I think it should be
possible using only what's included in Debian to assemble
infrastructure that gets Kerberos tickets on login (via PAM), and then
you have mail services (Kerberos/SASL IMAP), a filesystem (OpenAFS),
and passwordless ssh (ssh-krb5).  User passwords are only stored one
place (the Kerberos KDC), and once they've logged in they never need
to type their password again.

Even given this, you still need some way of distributing the (public)
information in /etc/passwd.  I think LDAP is good for this.

Is it possible to use such an authentication scheme for NIS/Samba? I have 8 workstations (all running Sid) that connect to a Woody server which runs NIS/NFS/Samba. Sometimes the researchers like to bring in their laptops (which all run Windoze) and get at their homedirs. What I did was to manually enter each user into Samba and set them a different password. I looked into several possibilities (like using LDAP/MySQL as an authentication source for both), but none of those were particularly good or easy to setup. I wonder if this might be a possibility.


Attachment: pgpsBO1gecC52.pgp
Description: PGP signature

Reply to: