Date: Tue, 18 Oct 2005 09:09:06 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: Francisco <francisco@natserv.net> Cc: freebsd-isp@freebsd.org Subject: Re: Distributed authentication. Which one? Message-ID: <20051018150906.GJ33270@seekingfire.com> In-Reply-To: <20051018103540.K28109@zoraida.natserv.net> References: <20051012234337.K63956@zoraida.natserv.net> <57416b300510142221r2c3da329o65d54cb0aa04fc73@mail.gmail.com> <20051015133148.P97899@zoraida.natserv.net> <18f601940510151547ka3573f8v2f0633010ad2874f@mail.gmail.com> <20051016010251.R90770@zoraida.natserv.net> <20051017203353.GF33270@seekingfire.com> <20051018103540.K28109@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 18, 2005 at 10:37:53AM -0400, Francisco wrote: > On Mon, 17 Oct 2005, Tillman Hodgson wrote: > > >It has some interoperability and security issues. They're solvable, IMO. > > Thanks for the feedback. > > I guess a good test is to ask.. what would you use? :-) On a meta-network (http://metanetwork.seekingfire.com/wiki.pl) we've used Kerberos with cross-realm trusts in combination with NIS providing the meta information (preferred shell, etc) for "users in common" (non-local). It maps well to multiple administrative domains. On purely local networks where the number of users are low (a few dozen at most), I like using something like cfengine to simply keep all local user databases in sync. I then use Kerberos (preferred) or sudo to break out root-like powers in an auditable way. I'm a fan of IPsec transport mode with the blowfish algorithm and compression turned on -- it's "good enough" security for my needs and can actually /increase/ the effective bandwidth (I've posted the results of a Sun Ultra5 and a few Intel box to FreeBSD mailing lists in the past, ithe archives should have them somewhere). The fact that it makes using traditional RPC services a bit more secure is merely a bonus :-) > >For example, most of the security concerns can be addressed with a > >combination of transport-mode IPsec and Kerberos and I avoid inter- > >operability issues by avoiding weird implementations of NIS ;-) > > Sounds like more trouble than it's worth. You'll likely find that there's similar issues for any cross-platform solution with decent security. I'd use whatever you can best understand, since anything security related that works but isn't well understood can be a source of future problems. If you grok LDAP, then use LDAP :-) > Right now I am leaning towards Kerberos or LDAP. They're differnet things. Kerberos *and* LDAP is a nice combination. Kerberos is for /authentication/, and authentication only. It doesn't handle meta data (like home dir, shell, group information, etc) and it handles authorization only in passing and not in a finely-grained manner (via .k5login, basically). It does authentication exceedingly well and that's what I consider its prime attraction. So when considering Kerberos it generally makes sense to design the user management system to be Kerberos + $somthing_else. The $something_else provides the meta-data, group information and authorization pieces of the puzzle. This isn't as convoluted as it sounds. Take web services for example -- the required meta data is often different than for local users, but the concept of secure authentication remains the same. Think of it as flexibility rather than complexity. > Need to learn more about them to see their strengths and weaknesses and > how it would fit into our existing extructure. I have a very basic (albeit somewhat old) presentation on Kerberos up at http://www.seekingfire.com/documents/presentations/kerberos_presentation/kerberos.pdf, and a collection of useful links at http://www.seekingfire.com/projects/kerberos/. There's a variety of HOWTOs floating around the net on combining Kerberos with local passwd files, NIS, LDAP, and other user database technologies. There's also the O'Reilly book, which is handy but not as comprehensive as I'd like (http://slashdot.org/comments.pl?sid=139450&cid=11672353 has my original comments archived). -T -- "What are the facts, and to how many decimal places? You pilot always into an unknown future; facts are your only clue. Get the facts!" -- Lazarus Long (_Time Enough for Love_, Robert Heinlein)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051018150906.GJ33270>