Linux Central Authentication/Authorization Methods

linux authentication ldap kerberos authorization
15,923

Solution 1

For this problem, FreeIPA is the "best" FOSS solution out there.

Since you are just starting to learn about the scope of your problem, you should do your research before attempting to play with FreeIPA.

Solution 2

TLS encryption is good enough to secure the transmission of passwords from the clients to the server given the following:

  • Your LDAP server's ACLs properly restrict access to password hashes.
  • Your server's private key is never compromised.

TLS encrypted plain authentication is the most simple method of secure authentication to set up. Most systems support this. The only prerequisite your client systems have is getting a copy of your SSL certificate authority's certificate.

Kerberos is mainly useful if you want a single sign on system for your workstations. It would be nice to be able to log in once and have access to web services, IMAP email, and remote shells without entering your password again. Unfortunately, there is a limited selection of clients for kerberized services. Internet Explorer is the only browser. ktelnet is your remote shell.

You may still want to encrypt traffic to your kerberized LDAP server and other services with TLS/SSL to prevent traffic sniffing.

GSSAPI is a standardized protocol for authentication using back ends such as Kerberos.

Solution 3

LDAP works well for multiple servers and scales well. startTLS can be used to secure LDAP communications. OpenLDAP is increasing well supported and more mature. Master-master replication is available for redunancy. I have used Gosa as an administrative interface.

I still haven't bothered limiting access per server, but the facility is there.

You may also want to look at shared home directories using autofs, or some other network mount mechanism. It not you will likely want to add the pam module that creates missing home directories on first login.

While NIS (aka yellowpages) is mature, it also has some reported security issues.

Share:
15,923

Related videos on Youtube

Chris McBride
Author by

Chris McBride

Updated on September 17, 2022

Comments

  • Chris McBride
    Chris McBride over 1 year

    I have a small but growing network of Linux servers. Ideally I'd like a central place to control User Access, change passwords, etc... I've read a lot about LDAP servers, but I'm still confused about choosing the best authentication method. Is TLS/SSL good enough? Whats the benefits of Kerberos? Whats GSSAPI? Etc... I haven't found a clear-cut guide that explains the pros/cons of these different methods. Thanks for any help.

    • MadHatter
      MadHatter over 13 years
      Do't forget NIS. It may be old, but it's still widely used for a reason.
    • Ricardo Gomes
      Ricardo Gomes over 13 years
      I think that reason may be appliances and other operating systems that don't fully support LDAP. If you have a 100% Linux shop, then LDAP is the way to go. Solaris has trouble talking to OpenLDAP using OpenSSL for encryption. FreeBSD can't use netgroups over LDAP. You can always set up an NIS gateway for non-authentication data needed by incompatible systems.
    • Magellan
      Magellan about 12 years
      @MadHatter I'm pretty sure that reason NIS is still used is called "Inertia".
  • Chris McBride
    Chris McBride over 13 years
    Well right now my needs are strictly for a central authentication server, so I only have to change a password in one place instead of every server. But I'd like a solution that scales well so when I need more granular access controls, I can easily add it. Thats why I was looking at LDAP as opposed to NIS.
  • Ricardo Gomes
    Ricardo Gomes over 13 years
    I think Chris was referring to TLS/SSL only to encrypt the network traffic between the LDAP client and server. In that case, you don't need any extra hardware.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP vs Relational Database
Kafka Console consumer with kerberos authentication
Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"
pam_sss access denied with kerberos authentication ok
Unable to Login to kadmin from Kerberos Client
How can I disable Kerberos authentication for only the root of my site?
Apache SSO with Active Directory and providing authorization based on groups
Allowing LDAP users to change password
How to determine the Kerberos realm from an LDAP directory?
Find users currently logged in using ldap?