Re: pam and other authentication methods

To: debian-user@lists.debian.org
Subject: Re: pam and other authentication methods
From: Roberto Sanchez <rcsanchez97@yahoo.es>
Date: Sat, 27 Sep 2003 18:59:37 -0400
Message-id: <[🔎] 3F761659.9090207@yahoo.es>
In-reply-to: <[🔎] y68isndvoim.fsf@no-knife.mit.edu>
References: <[🔎] 1064674730.950.18.camel@guinevere.camelot> <[🔎] y68isndvoim.fsf@no-knife.mit.edu>

David Z Maze wrote:

Benedict Verheyen <linux4bene@pandora.be> writes:

Today i read that Slackware doesn't use PAM by default because of
some of the leaks that pop up now and then. I was wondering what
other type of authentications there are on Linux and how
easy/difficult they are to set up.



The basic answer here is pretty much either "PAM" or "not"; in the
"not" case, individual programs generally ask for a password and
verify it against what's in /etc/shadow.

For instance, if i would now like to change the way users are
authenticated, how would i do that.



In Debian, you'd find a PAM module for the authentication method you
cared about, install it, and put an appropriate reference in the
appropriate /etc/pam.d file(s).  Otherwise, "change the source".

What methods are good for providing 1 central repository of
authentication stuff os that you don't need to spread around passwords
and thus end up with having to change several sources when a user is
deleted for instance.



I think both Kerberos and RADIUS are "single sign-on" protocols: when
you log on you get some sort of authentication token, which you can
use to talk to other services without typing a password.  I know much
more about Kerberos, so I'll talk about that.  I think it should be
possible using only what's included in Debian to assemble
infrastructure that gets Kerberos tickets on login (via PAM), and then
you have mail services (Kerberos/SASL IMAP), a filesystem (OpenAFS),
and passwordless ssh (ssh-krb5).  User passwords are only stored one
place (the Kerberos KDC), and once they've logged in they never need
to type their password again.

Even given this, you still need some way of distributing the (public)
information in /etc/passwd.  I think LDAP is good for this.

Is it possible to use such an authentication scheme for NIS/Samba? Ihave 8 workstations (all running Sid) that connect to a Woody serverwhich runs NIS/NFS/Samba. Sometimes the researchers like to bring intheir laptops (which all run Windoze) and get at their homedirs. What Idid was to manually enter each user into Samba and set them a differentpassword. I looked into several possibilities (like using LDAP/MySQL asan authentication source for both), but none of those were particularlygood or easy to setup. I wonder if this might be a possibility.


-Roberto

Attachment: pgpKYPdWOIzhS.pgp
Description: PGP signature

Reply to:

References:
- pam and other authentication methods
  - From: Benedict Verheyen <linux4bene@pandora.be>
- Re: pam and other authentication methods
  - From: David Z Maze <dmaze@debian.org>

Prev by Date: Re: Multi-user Debian
Next by Date: usb mouse stopped working
Previous by thread: Re: pam and other authentication methods
Next by thread: Re: pam and other authentication methods
Index(es):
- Date
- Thread