Re: pam and other authentication methods
Benedict Verheyen <linux4bene@pandora.be> writes:
> Op zo 28-09-2003, om 00:45 schreef David Z Maze:
>
>> I think both Kerberos and RADIUS are "single sign-on" protocols: when
>> you log on you get some sort of authentication token, which you can
>> use to talk to other services without typing a password.
>
> This sounds like a much more integrated system and easier to maintain. I
> cannot see a sysadmin juggle with all those user passwords for different
> programs. Do production type servers use Kerberos or RADIUS more than
> PAM?
MIT's Athena computing environment generally uses a patched /bin/login
binary, I think, and generally doesn't do much with PAM, though some
people have successfully used PAM to let people with Athena accounts
log in on their private Debian machines. The one hard problem that I
don't know of a good way to deal with is having a synchronized set of
user accounts: when someone gets a new account, they need a password
entry, a Kerberos principal, an AFS principal, a home directory, and
possibly other things, and when their account goes away these things
need to vanish. MIT has a special glue layer that does this, but it's
not terribly pretty.
A couple of years ago a group of people (MIT/SIPB/Debian folk, mostly)
were working on prepackaged infrastructure to do this; look at
http://www.boxedpenguin.com/. As far as I know, it's mostly fallen by
the wayside at this point, but it might be useful to look at.
--
David Maze dmaze@debian.org http://people.debian.org/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell
Reply to: