[ale] How do you deal with SSO at home?

Jim Kinney jim.kinney at gmail.com
Wed Dec 13 17:16:43 EST 2017


On Wed, 2017-12-13 at 16:53 -0500, DJ-Pfulio via Ale wrote:
> Last time I looked into FreeIPA, the code port to debian had stalled.
> Seems that a few of the 500 different projects, all using different
> programming languages, had failed to port to Debian. 

              Releases/4.5.2
            
            
            
            
                         Released 2017-06-18Highlights in 4.5.2
 *  5860: depracate --no-sssd option

Option '--no-sssd' has been deprecated because SSSD is recommened to
use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian.  <-- Still in
the mix :-)
I _don't_ see precompiled binaries so non-rpm is a second-class release
issue.
> Ok, I jest, but FreeIPA is one of those typical "enterprisy"
> solutions
> from RH that was built using 70 other projects, each with a different
> idea of what is best.

Oh yeah :-) It glued some jboss web stuff onto pile of backend things;
389DS, bind (yeah, uses bind for DNS), Kerberos, ssh, openssl
certificate management tool dogtag.
> Introducing Cent here is not gonna happen, but thanks.  I'd rather
> roll
> my own LDAP GUI.  I don't remember any issues using ssh with LDAP
> auth
> on Ubuntu. It has been a few years, but it "just worked" by setting
> up
> PAM correctly.
ssh works fine with LDAP backend for passwords with typical PAM setup.
The ssh change in CentOS added an LDAP lookup for ssh pub_key. That's a
special patch from a while back. Not sure if it's in openssh outside of
the RPM world.
Check out apache directory server: http://directory.apache.org/apacheds
/downloads.html
Of course being an apache project, it's written in java
> 
> On 12/13/2017 04:34 PM, Jim Kinney wrote:
> > Take a look at FreeIPA. It uses LDAP for storage and Kerberos for
> > authentication. The sss daemon handles comms with the server. The
> > server
> > can be replicated rather easily.
> > 
> > There's a web gui for running it as well as a very potent cli
> > backend
> > for scripting needs. It can be as simple as just making sure the
> > same
> > password is on all systems or a complicated as Fred can only access
> > the
> > storage machine at 2pm on Tuesdays. By "joining" a machine to the
> > service it now runs local auth then sss auth for users and anything
> > else
> > you choose. I have some sudo processes handled by it (Fred can use
> > a
> > certain sudo operation on a certain machine and a different
> > operation on
> > a different machine and it's all handled through the replicated
> > service). When users push their ssh pub key to their data page, it
> > can
> > be used to authenticate to any machine in the network (there's a
> > patched
> > sshd that uses an LDAP lookup for the authorized_keys).
> > 
> > I ran a primary server off a VM and a backup server off an old
> > desktop
> > for about 100+ users. Client support is solid for Debian and Ubuntu
> > (the
> > sshd patch I don't know about outside of rpm-world) as well as
> > CentOS
> > and Fedora of course. The server install is easy on CentOS (RedHat
> > calls
> > it IDM server). I've not looked to see if Debian server code is
> > just a
> > tarball or a real package set.
> > 
> > On Wed, 2017-12-13 at 20:46 +0000, Lightner, Jeffrey via Ale wrote:
> > > I wasn't aware of the lack of a Linux server for NIS+.   As noted
> > > I've not used NIS+ and it has been years since I used
> > > NIS.   Apparently even the client support development was stopped
> > > in 2012:
> > > http://www.linux-nis.org/nisplus/
> > > 
> > > 
> > > -----Original Message-----
> > > From: Ale [mailto:ale-bounces at ale.org] On Behalf Of DJ-Pfulio via
> > > Ale
> > > Sent: Wednesday, December 13, 2017 3:21 PM
> > > To: Atlanta Linux Enthusiasts
> > > Subject: Re: [ale] How do you deal with SSO at home?
> > > 
> > > On 12/13/2017 02:14 PM, Lightner, Jeffrey wrote:
> > > > I thought NIS+ solved the issues of original NIS. I've never
> > > > used
> > > > NIS+ so wouldn't swear to it. 
> > > 
> > > 
> > > NIS+ clients are free.  NIS+ server is Solaris only. That's a
> > > deal
> > > breaker for me.  Need a Linux-based solution, prefer Ubuntu
> > > Server or Debian.  RHEL/CentOS is a big as for 1 part of an
> > > existing infrastructure.
> > > 
> > > I need a mix of POSIX and web authentication.  Shared storage is
> > > server-to-server, not user-to-server, so I don't need that.
> > > 
> > > I've used LDAP previously, using Zimbra (with openldap) as the
> > > source DB for everything.  Zimbra updates over the years broke
> > > that integration and I'm unwilling to deal with those hassles
> > > anymore.
> > > 
> > > Rant reply - people with just a few email addresses don't have
> > > much hope for security. Certainly you should never use the same
> > > email for your bank and **any** other accounts.  Same for Amazon.
> > > Same for your broker.
> > > Same for your 401(k) provider.  So that means most professional
> > > people here need at least 6 email addresses if you add in a
> > > social account and work.
> > > 
> > > I liked how NIS worked, but I just can't take those security
> > > risks today.  It is a different world.
> > > _______________________________________________ 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20171213/8548c50c/attachment.html>


More information about the Ale mailing list