[Novalug] general authentication question

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Thu May 12 11:06:30 EDT 2011


  No, you don't have to STORE them unencrypted; you have to TRANSMIT 
them unencrypted. Which means you have to use TLS/SSL; either STARTTLS 
or LDAPS.

When you say "static salt" you are implying the old style BSD modified 
DES hash. Linux/PAM/OpenLDAP can use any style hash you want.

But there is a third alternative....use Kerberos for Authentication and 
LDAP for the other maps.

If you share your network with Windows folks, you can even authenticate 
against Active Directory.
 From what I can tell, AD will never export a password, except via 
replication to another AD.

Also, AD 2008 has RFC 2307 (NIS LDAP Schema) built right in, so you can 
run LDAP against AD to get the passwd/group file maps. If you do this, 
one authconfig command will set it up for you.

Just give the whole Identity Management task away and focus on the rest 
of the Critical Infrastructure.

JIM

P.S. Sounds like Heresy, but IM is a Big Pain. Even so, make sure your 
Critical System Administrator accounts are local passwd/group/shadow 
entries and/or put your ssh keys in root's authorized_keys file.

On 5/12/2011 10:20 AM, bidwell wrote:
> People who are running centralized authentication, what are you using?
> I've been trying to configure OpenLDAP but in order to fulfill password
> requirements like length and no reuse it appears I have to do things
> I think are even less secure, like store passwords cleartext or
> use a static salt in encryption.
>
> Matt
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>




More information about the Novalug mailing list