[sclug] Centralised Authentication
David Given
dg at cowlark.com
Mon Oct 31 16:11:22 UTC 2005
On Monday 31 October 2005 15:46, Peter Brewer wrote:
> Ok, so LDAP is definitely the 'proper' way to do it, but I'm intrigued
> by David's solution. I know that it is slightly less than conventional,
> but if it works what are the drawbacks? From what I've read, the LDAP
> approach is far from simple. We're talking about managing a dozen
> machines here, not an entire lab full - isn't LDAP a hammer to crack a nut?
Well, the obvious problem with my solution is that it's not in any shape or
form secure --- all the (hashed) passwords are being chucked around the
network via unencrypted NFS, and NFS security is a joke at the best of times.
It would also not play nicely with shadow passwords (you'd have to
export /etc/shadow instead, which rather defeats the whole purpose of shadow
passwords). Perhaps using NFSv4?
Oh, yeah, plus I completely forgot to deal with /etc/group, which you'll also
need to share. Hey, I was a student at the time.
I'm sure that there are a whole load of other non-obvious problems.
(The main reason why I went for such a ghastly approach was --- well, hack
value largely. This network did have an ethernet-equipped PDP11 running BSD
acting as a terminal server. But using NFS also meant that the whole password
sharing system required *no* additional infrastructure over what was already
there; it could all implemented via /etc/fstab and /etc/exports. No scripts,
no additional processes, no binaries...)
--
+- David Given --McQ-+
| dg at cowlark.com | "When in Rome, leave immediately." --- old dragon
| (dg at tao-group.com) | saying (via Tom Holt, _Nothing But Blue Skies_)
+- www.cowlark.com --+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.tmdg.co.uk/pipermail/sclug/attachments/20051031/9eda4d6f/attachment-0001.bin
More information about the Sclug
mailing list