[sclug] Centralised Authentication
John Stumbles
john at stumbles.org.uk
Mon Oct 31 16:46:25 UTC 2005
Peter Brewer wrote:
> Ok, so LDAP is definitely the 'proper' way to do it, but I'm intrigued
> by David's solution. I know that it is slightly less than conventional,
> but if it works what are the drawbacks? From what I've read, the LDAP
> approach is far from simple. We're talking about managing a dozen
> machines here, not an entire lab full - isn't LDAP a hammer to crack a nut?
For a group of machines isolated from the Big Bad Internet and from
untrustworthy users it's fine, but it'd be vulnerable from a security
pov in a hostile environment. If you're just exporting/mounting
/etc/passwd that implies you're not using shadow passwords so the passwd
hashes are in /etc/passwd which can be sniffed from the network or read
by a user on any of the client machines (and then subjected to a
crack/jack/john attack)
I'm sure all sorts of other 'interesting' attacks would be possible too :-)
--
John Stumbles
More information about the Sclug
mailing list