Enterprise-Level Authentication for Linux? 25
Jon Hill asks: "Authentication
is an integral function of any network but the problem of unified
authentication on large distributed systems becomes daunting when you
look for Linux based solutions. I am the MIS Director for a technical
R&D company with 10 locations in several states and have pushed Linux
at the server level successfully for several years. As the system has
grown the need for a unified authentication scheme has become a
necessity. I have looked over NIS, NIS+, LDAP, Kerberos, and others
but haven't found anything that will unify even our servers (ie.
file/email/FTP). All sites are linked via a static VPN so there is
good secure communication available. What suggestions do readers have
to solve what I'd have thought was a common problem? Any case studies,
product links, code, and other examples will be appreciated."
Any Slashdotters who run enterprise-level installations care to
comment on how well Linux's authentication works? In your mind, what
does Linux need to do to improve it's profile in this regard?
Could PAM
at least provide a partial answer to this question, considering
that it would provide a way for any authentication scheme to link
into the system as a whole, without having to force
hard-to-maintain code changes in the user-land applications.
Surely LDAP? (Score:1, Informative)
You've also got centralized management and administration, and don't have to limit this to login credentials either - you could store the ip addresses of each host, the configuration of every printer etc...
Re:Surely LDAP? (Score:3, Informative)
For instance, you can make some accounts/groups only able to login between certain hours of the day - and this will be true for everything that uses the LDAP authentication - be it Windows client, firewall, unix workstation - whatever.
Theres a whole bunch of other stuff that you can makes use of too - quota limits across all platforms, the ldap directory also (handily) will serve as an enterprise wide telephone/address book - so you can hook it straight up to your intranet.
Theres a really good book about all this "Understanding and Deploying LDAP Directory services", published by Macmillan technical publishing. Its a weighty tome, but very informative.
Re:Surely LDAP? (Score:1)
The kernel dosent need it. (Score:4, Insightful)
This is the whole idea behind PAM. Give the hooks needed to implement your own modules, that is the simplest and best thing *LINUX* can do for auth. Let other groups, like Samba, and those who work on Netware, and other groups who concentrate on interoperability, come up with modules for PAM. People who are interested should read the stuff on winbindd [aarnet.edu.au] in Samba 2.2.2, its good stuff. And that said, nowdays the auth options for Linux-based OS's are good and getting better.
ObSlashdot: "In your mind, what does Linux need to do to improve it's profile in this regard?" Well, why do Slashdot editors wish to insult those posters that have a clue, while patronising everyone else? If you wonder why people troll, your answer is right there. (Watch me get slapped for this!
where are the secrets (Score:3, Funny)
If you perhaps do not trust the client machines, though, which you might not if they are Windows boxes, you would not want to use just public key crypto. You would also want to use a passphrase based system, and then you are back to having to have secrets on the servers, which need to be very carefully republished when they change. And you might not trust some of the servers. OpenSSH (and especially OpenSSH with the SRP patch) can do this, and it'll authenticate both the client *and* the server, so that both parties know they are connected with the entity they think they are connected to.
You might also want to look at SFS (a secure distributed filesystem based on NFS but with SRP authentication). Note that there are several projects all called SFS -- I'm thinking of the self-certifiying one [fs.net]. Then you can have central administration of server-side secrets. Probably some of the other projects called SFS would be good too, but I'm less familiar with them.
LDAP (Score:2, Interesting)
What kind of research did this guy do, anyway? (Score:5, Insightful)
You can do this with NIS, Kerberos, or LDAP on Linux, using PAM modules. In fact, out of the box, Red Hat can support any of those three. New versions of SAMBA have a beta-quality utility to do the same from a Windows domain controller, IIRC.
Now, it's entirely possible that this guy has some needs that weren't articulated in his message --- but if so, he should have articulated them in the message, as the basic case is trivial on Linux. AFAIK it should be no problem to authenticate for any of the afforementioned tasks.
That said, PAM is a major PITA to configure: the files are rather opaque if you haven't used them before. (Need a consultant? I'm available: www.cluestickconsulting.com [cluestickconsulting.com])
V-ONE (Score:1)
R
eDirectory (NDS)? (Score:3, Informative)
sPh
??? (Score:2)
Perhaps you are looking for something other than authentication?
Re:??? (Score:2, Funny)
Two words: Athena widgets.
Excellent question (Score:3, Insightful)
I have done a lot of research on the subject and extensive testing. Naturally I would have preferred a free solution, which suggested that OpenLDAP would be the solution of choice. But there are numerous issues with OpenLDAP.
One big problem is that it does not scale well. Sure it can handle massive volumes of users but, redundancy and more importantly distribution or replication are not yet adequate for enterprise use. This is also compounded by the fact that I also had to tie in Windows 2000 systems and applications. While active directory claims to be LDAP compliant, it is broken from a standards perspective. This severely limits the use of Active Directory as the central directory, not to mention the fact that it requires add-on software from Microsoft in order to authenticate *nix systems against it. Furthermore, because of Microsoft's proprietary extensions it is not possible to use OpenLDAP as a replacement for Active Directory.
Thus far, the best that I have found is Novell's eDirectory. There is also a second Novell package that is required if you will also be integrating Windows 2000 and Active Directory, you cannot eliminate Active Directory. The second package is Novell Authentication Management (NAM). This allows eDirectory to manipulate and synchronize Active Directory to eDirectory pretty seamlessly.
eDirectory runs on almost any platform. It runs on Netware, Windows 2000, Solaris, AIX and most importantly Linux. It is super scalable and easily handles distribution and replication. It offers authenication management for just about any platform and it has reasonable support from various application developers.
If you use Windows 200 apps like Exchange 2000 you still *have* to run Active Directory as well as eDirectory but, with the NAM package there is no need to ever manage Active Directory. All of the management is done in eDirectory and anything that needs to go into Active Directory is automatically pushed there.
Novell also has a product which I have not yet tried. It is an XML based add-on to eDirectory. Basically it will handle synchronizing other various directories to eDirectory. For instance, if you run SAP or some such application that has it's own authenticatioin system, the XML product will perform two way synchronization between eDirectory and your applications native directory. This propogates any changes made in one directory to the other.
You can get a free copy of eDirectory for Linux here [novell.com]. (Registration required) It's not the free solution that I had hoped for but, it seems to be the best around and it isn't too expensive for enterprise level software.
Re:Excellent question (Score:1)
I don't understand (Score:1)
LDAP (Score:2)
FYI, I run a consulting company [uslinux.net] and have done this before. It's *more* difficult to work with NT domains as well, but LDAP is pretty much designed for this. If you don't think LDAP can do it, you haven't looked into it enough.
Maybe not such a good idea (Score:3, Insightful)
Re:Maybe not such a good idea (Score:1, Insightful)
Maybe I'm the only one here old enough to recall Novell 3 networks with 100s of servers, each with their own password list. Living Hell On Earth.
2) The simple answer to your question is that if SSH doesn't recognize your directory service because it's a dumb point-to-point system, then don't use SSH. There's various Kerberos-ized telnet solutions out there. FTP should probably be mercykilled and replaces with HTTP/WebDAV over HTTPS.
Enterprise-Level authentication? (Score:2, Funny)
PAM and LDAP. (Score:2, Informative)