[953] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Alternative to NIS

daemon@ATHENA.MIT.EDU (Edward S. Marshall)
Thu Jul 25 04:37:08 1996

Date: Wed, 24 Jul 1996 21:14:05 -0500 (CDT)
From: "Edward S. Marshall" <emarshal@common.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199607241543.RAA04705@i17linuxb.ists.pwr.wroc.pl>

Marek Michalkiewicz:
> Eric M. Boyd:
> > Everywhere I look security wise, people say to stay away from NIS because
> > it's very insecure, and that NIS+ isn't much better.  Does anyone have any
> > suggestions as to a replacement to use?  I want to make sure my site is
> > secure, but it's really a hassle to individually add a user to each
> > machine, or ask a user to change their password on each machine they use.  
> 
> Here is one suggestion: use rdist to update the /etc/passwd and
> /etc/shadow files on each machine from the "server" machine (where
> users change their passwords).  rdist should be run after any changes
> have been made, and/or periodically from a cron job.  By default,
> rdist uses rsh to transfer files - not very secure, but it can be
> modified to use ssh (ftp://ftp.cs.hut.fi/pub/ssh/) instead.

One problem with this approach is that you can't (simply) restrict access
for particular users on particular systems.  Ideally, here's what I'd like
to do: (Please excuse the crude drawings...:-)

        +--------------+
        |   Central    |
        |Authentication|
        |    Server    |          +-----------------+
        +------+-------+          | Terminal Server |
               |                  +---------+-------+
               |                            |
    |---+------+----+----------------+------+------+------------+---|
        |           |                |             |            |
  +-----+----+ +----+------+ +-------+---+ +-------+--+   +-----+--+
  |Shell Host| |File Server| | Mail Host | | WWW Host |   | Router |
  +----------+ +-----------+ +-----------+ +----------+   +--------+

Basically, a typical ISP setting, except that I'd like to centrallize all
authentication services on a single server, as above.  Basically, any
login attempts are checked with the central server (via telnet, rlogin,
ftp, etc).  I'd like to be able to do getpw*() lookups without change, and
basically have the calls fail when the user is denied access to "log in"
by whatever specific means failed on a specific host.

I.e. Jack is allowed to telnet to the shell host, retrieve pop mail from
the mail host, and upload web pages to the www host via ftp.  He cannot
log in at all to the file server, authentication server, terminal server,
or router (assuming these are all linux systems :-).  Is there enough
software support available to be able to do this right now with any
authentication scheme?  If so, could someone provide some pointers?  I've
read up a bit on Kerberos, and it sounds like a good alternative, but I
don't know enough about the practical side of implementation (i.e. what
support is available, what will I have to do myself, etc).

Basically, I'm just out for pointers to authentication schemes which allow
me to selectively control access to services from a central server (I
believe someone else on this list mentioned "The fool says: don't put all
your eggs in one basket.  The wise man says: put all your eggs in one
basket, and WATCH THAT BASKET." :-).

--
.-----------------------------------------------------------------------------.
| Edward S. Marshall <emarshal@common.net> | CII Technical Administrator,     |
| http://www.common.net/~emarshal/         | Vice-President, Common Internet  |
| Finger for PGP public key.               | Inc, and Linux & LPmud (ab)user. |
`-----------------------------------------------------------------------------'

home help back first fref pref prev next nref lref last post