Centralized Authentication Problem - Not exactly NIS - Not exactly Kerberos

Centralized Authentication Problem - Not exactly NIS - Not exactly Kerberos

Post by Davi » Tue, 18 Jun 2002 13:55:31



I will break this question down:

Problem - Find a solution that allows system admins access to EVERY
server on the network, BUT still leave the master.passwd in place for
customer logins.

Currently, I have about 1000+ servers (all FreeBSD) under my team's
care.   The network has grown over a 3 year period of time and, at the
time, no thought was given to the fact that maintaining user account
on 1000 would become a nightmare.

Each server has approx. 3 logins:
1.   A normal tech login (no su - non-wheel) - for observation
2.   user 0 login (root)
3.   Customer Login (The person who actually has their data and
websites) - Usually has NO su capacbilities

Because of the amount of servers and existing usernames, it would be
difficult to bring everyone into a NIS setup.  Additionally, it would
seem to cumbersome because other than admins, the one username only
needs to access one machine.

I investigated Kerberos, but I do not feel comfortable having more and
more daemons running.  i.e. Future security holes and having to update
1000+ machines if another kerberos hole pops up.

Here is what I am looking for:

1.  A system that will allow the normal master.passwd to control all
users that are currently entered into, BUT sync users off of a master
server for admin accounts.

2.  The ability to nuke the admin accounts off of all the servers
quickly in the case of an employee termination (took 1 day previously
to clean the servers of one admin's login).  This eliminates, user
accounts on each server and SSH certs...

3.  SECURE

 
 
 

Centralized Authentication Problem - Not exactly NIS - Not exactly Kerberos

Post by Erik Nygre » Wed, 19 Jun 2002 04:45:02


...

Quote:> I investigated Kerberos, but I do not feel comfortable having more and
> more daemons running.  i.e. Future security holes and having to update
> 1000+ machines if another kerberos hole pops up.

You want kerberos, honest! Maybe you can ditch ssh instead, and get no
extra deamons :)
Kerberos (at least Krb4/KTH-Ebones) works very well from inetd and can
have TCP-wrappers, so that the risk is minimized if a hole pops up.
Haven't been that many serious holes either last year, have there?

Quote:

> Here is what I am looking for:

> 1.  A system that will allow the normal master.passwd to control all
> users that are currently entered into, BUT sync users off of a master
> server for admin accounts.

Should be easy enough to script a sync-routine that ignores uid's
above say 1000.

Quote:

> 2.  The ability to nuke the admin accounts off of all the servers
> quickly in the case of an employee termination (took 1 day previously
> to clean the servers of one admin's login).  This eliminates, user
> accounts on each server and SSH certs...

Should be easy to script
Quote:

> 3.  SECURE

You really want Kerberos... It does it all.

--
Erik Nygren
e r i k { a t } s w i p { d o t } n e t
Linux - If you hate Microsoft, FreeBSD - If you love Unix

 
 
 

1. Not exactly a KDE ?, but need help with WINE

Well, I've got wine working fine on one machine.
I made a /dos directory; and then moved windows
programs that I want to run under wine to /dos.
When I go to that directory and type: wine sol.exe,
for example, solitaire comes up and runs.

However, on another machine, which for some reason
has put C:\ in a directory named /initrd/loopfs, when
I move program to /dos & try to run, I get a
wine configuration error.  I tried to edit the
/etc/wineconf file to point to /dos; but I guess
I don't know how.

I am a newbie and always appreciate help.

TIA,

dave

2. Flyvideo 2000

3. not exactly a solaris question but,

4. Launching apps from Super User konqueror

5. Not exactly RHCE material....

6. Graphics Card

7. Not even a complaint, exactly. -

8. Yellow Dog Linux 3.0 Released

9. fd passing what is the problem exactly

10. Solution to delayed telnet(exactly 30 seconds) Problem

11. LDAP authentication - but not NIS.

12. Using NIS+ for application (not OS) authentication

13. ifconfig up/down - what does it exactly?