[Novalug] general authentication question
James Ewing Cottrell 3rd
JECottrell3@Comcast.NET
Thu May 12 11:06:30 EDT 2011
No, you don't have to STORE them unencrypted; you have to TRANSMIT
them unencrypted. Which means you have to use TLS/SSL; either STARTTLS
or LDAPS.
When you say "static salt" you are implying the old style BSD modified
DES hash. Linux/PAM/OpenLDAP can use any style hash you want.
But there is a third alternative....use Kerberos for Authentication and
LDAP for the other maps.
If you share your network with Windows folks, you can even authenticate
against Active Directory.
From what I can tell, AD will never export a password, except via
replication to another AD.
Also, AD 2008 has RFC 2307 (NIS LDAP Schema) built right in, so you can
run LDAP against AD to get the passwd/group file maps. If you do this,
one authconfig command will set it up for you.
Just give the whole Identity Management task away and focus on the rest
of the Critical Infrastructure.
JIM
P.S. Sounds like Heresy, but IM is a Big Pain. Even so, make sure your
Critical System Administrator accounts are local passwd/group/shadow
entries and/or put your ssh keys in root's authorized_keys file.
On 5/12/2011 10:20 AM, bidwell wrote:
> People who are running centralized authentication, what are you using?
> I've been trying to configure OpenLDAP but in order to fulfill password
> requirements like length and no reuse it appears I have to do things
> I think are even less secure, like store passwords cleartext or
> use a static salt in encryption.
>
> Matt
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>
More information about the Novalug
mailing list