[ale] How do you deal with SSO at home?

Jim Kinney jim.kinney at gmail.com
Wed Dec 13 16:34:50 EST 2017


Take a look at FreeIPA. It uses LDAP for storage and Kerberos for
authentication. The sss daemon handles comms with the server. The
server can be replicated rather easily.
There's a web gui for running it as well as a very potent cli backend
for scripting needs. It can be as simple as just making sure the same
password is on all systems or a complicated as Fred can only access the
storage machine at 2pm on Tuesdays. By "joining" a machine to the
service it now runs local auth then sss auth for users and anything
else you choose. I have some sudo processes handled by it (Fred can use
a certain sudo operation on a certain machine and a different operation
on a different machine and it's all handled through the replicated
service). When users push their ssh pub key to their data page, it can
be used to authenticate to any machine in the network (there's a
patched sshd that uses an LDAP lookup for the authorized_keys).
I ran a primary server off a VM and a backup server off an old desktop
for about 100+ users. Client support is solid for Debian and Ubuntu
(the sshd patch I don't know about outside of rpm-world) as well as
CentOS and Fedora of course. The server install is easy on CentOS
(RedHat calls it IDM server). I've not looked to see if Debian server
code is just a tarball or a real package set.
On Wed, 2017-12-13 at 20:46 +0000, Lightner, Jeffrey via Ale wrote:
> I wasn't aware of the lack of a Linux server for NIS+.   As noted
> I've not used NIS+ and it has been years since I used
> NIS.   Apparently even the client support development was stopped in
> 2012:
> http://www.linux-nis.org/nisplus/
> 
> 
> -----Original Message-----
> From: Ale [mailto:ale-bounces at ale.org] On Behalf Of DJ-Pfulio via Ale
> Sent: Wednesday, December 13, 2017 3:21 PM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] How do you deal with SSO at home?
> 
> On 12/13/2017 02:14 PM, Lightner, Jeffrey wrote:
> > I thought NIS+ solved the issues of original NIS.  I've never used
> > NIS+ so wouldn't swear to it.
> 
> NIS+ clients are free.  NIS+ server is Solaris only. That's a deal
> breaker for me.  Need a Linux-based solution, prefer Ubuntu Server or
> Debian.  RHEL/CentOS is a big as for 1 part of an existing
> infrastructure.
> 
> I need a mix of POSIX and web authentication.  Shared storage is
> server-to-server, not user-to-server, so I don't need that.
> 
> I've used LDAP previously, using Zimbra (with openldap) as the source
> DB for everything.  Zimbra updates over the years broke that
> integration and I'm unwilling to deal with those hassles anymore.
> 
> Rant reply - people with just a few email addresses don't have much
> hope for security. Certainly you should never use the same email for
> your bank and **any** other accounts.  Same for Amazon. Same for your
> broker.
> Same for your 401(k) provider.  So that means most professional
> people here need at least 6 email addresses if you add in a social
> account and work.
> 
> I liked how NIS worked, but I just can't take those security risks
> today.  It is a different world.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20171213/048a5c8f/attachment.html>


More information about the Ale mailing list