[ale] How do you deal with SSO at home?

[DJ-Pfulio]

Last time I looked into FreeIPA, the code port to debian had stalled.
Seems that a few of the 500 different projects, all using different
programming languages, had failed to port to Debian.

Ok, I jest, but FreeIPA is one of those typical "enterprisy" solutions
from RH that was built using 70 other projects, each with a different
idea of what is best.

Introducing Cent here is not gonna happen, but thanks.  I'd rather roll
my own LDAP GUI.  I don't remember any issues using ssh with LDAP auth
on Ubuntu. It has been a few years, but it "just worked" by setting up
PAM correctly.



On 12/13/2017 04:34 PM, Jim Kinney wrote:
> Take a look at FreeIPA. It uses LDAP for storage and Kerberos for
> authentication. The sss daemon handles comms with the server. The server
> can be replicated rather easily.
> 
> There's a web gui for running it as well as a very potent cli backend
> for scripting needs. It can be as simple as just making sure the same
> password is on all systems or a complicated as Fred can only access the
> storage machine at 2pm on Tuesdays. By "joining" a machine to the
> service it now runs local auth then sss auth for users and anything else
> you choose. I have some sudo processes handled by it (Fred can use a
> certain sudo operation on a certain machine and a different operation on
> a different machine and it's all handled through the replicated
> service). When users push their ssh pub key to their data page, it can
> be used to authenticate to any machine in the network (there's a patched
> sshd that uses an LDAP lookup for the authorized_keys).
> 
> I ran a primary server off a VM and a backup server off an old desktop
> for about 100+ users. Client support is solid for Debian and Ubuntu (the
> sshd patch I don't know about outside of rpm-world) as well as CentOS
> and Fedora of course. The server install is easy on CentOS (RedHat calls
> it IDM server). I've not looked to see if Debian server code is just a
> tarball or a real package set.
> 
> On Wed, 2017-12-13 at 20:46 +0000, Lightner, Jeffrey via Ale wrote:
>> I wasn't aware of the lack of a Linux server for NIS+.   As noted I've not used NIS+ and it has been years since I used NIS.   Apparently even the client support development was stopped in 2012:
>> http://www.linux-nis.org/nisplus/
>>
>>
>> -----Original Message-----
>> From: Ale [mailto:ale-bounces at ale.org] On Behalf Of DJ-Pfulio via Ale
>> Sent: Wednesday, December 13, 2017 3:21 PM
>> To: Atlanta Linux Enthusiasts
>> Subject: Re: [ale] How do you deal with SSO at home?
>>
>> On 12/13/2017 02:14 PM, Lightner, Jeffrey wrote:
>>> I thought NIS+ solved the issues of original NIS. I've never used
>>> NIS+ so wouldn't swear to it. 
>>
>>
>> NIS+ clients are free.  NIS+ server is Solaris only. That's a deal
>> breaker for me.  Need a Linux-based solution, prefer Ubuntu Server or Debian.  RHEL/CentOS is a big as for 1 part of an existing infrastructure.
>>
>> I need a mix of POSIX and web authentication.  Shared storage is server-to-server, not user-to-server, so I don't need that.
>>
>> I've used LDAP previously, using Zimbra (with openldap) as the source DB for everything.  Zimbra updates over the years broke that integration and I'm unwilling to deal with those hassles anymore.
>>
>> Rant reply - people with just a few email addresses don't have much hope for security. Certainly you should never use the same email for your bank and **any** other accounts.  Same for Amazon. Same for your broker.
>> Same for your 401(k) provider.  So that means most professional people here need at least 6 email addresses if you add in a social account and work.
>>
>> I liked how NIS worked, but I just can't take those security risks today.  It is a different world.
>> _______________________________________________