Subject: Re: Centralized User and Password Management
To: Tillman Hodgson <tillman@seekingfire.com>
From: Dick Davies <rasputnik@hellooperator.net>
List: netbsd-users
Date: 11/25/2004 23:21:50
* Tillman Hodgson <tillman@seekingfire.com> [1103 22:03]:
> On Thu, Nov 25, 2004 at 04:52:39PM -0500, Greg A. Woods wrote:
> > That's a very false economy. IIUC Kerberos is already integrated into
> > everything that needs it (though for add-on software there may be
> > special compile-time configuration needd) and PAM would only open more
> > holes.
> Kerberos only works "properly" if you Kerberize your entire environment.
> This is often difficult and cases folks to avoid Kerberos because of a
> unusual app or two. PAM allows those apps to be accommodated.
My understanding of PAM/Kerberos is sketchy, but I assume the client
just blindly sends its user/pass to the server (which then gets a ticket
on the users behalf to validate the passphrase?), since
PAM is fundamentally user/pass based.
So you lose your SSO features anyway, and also you have no real
server identification (there are no tickets coming back from the
server to the client). You'd have to rely on SSL CRLs to 'untrust'
a server, and we all know how useless they are.
> Naturally, PAM adds another layer of software that could potentially
> have holes. Using native Kerberos services is, indeed, vastly preferred.
> But I'll take a Kerberized environment with a single app requiring a PAM
> shim over environments that use SSH for remote shells and clear-text
> POP3 for mail checks any day ;-)
IMO, if there's a weak link in the chain I'd rather it had a different
password. At least you lower your risk then.
I gave up and went to ldap auth - it has its warts but load balancing
works well, and it feels like a better match to pam, plus it does
(most of) NIS' job (via nss_ldap). You can keep whatever you fancy in
there, so it's kind of /etc on a distributed RAID, and it's easily as
fast as a local file.
But the single password feature is definitely a double-edged sword,
especially when keyloggers are so prevalent. You need to be careful about
what groups have access to what service, and certain clients just can't
be trusted.
--
One cannot make an omelette without breaking eggs -- but it is amazing
how many eggs one can break without making a decent omelette. - Charles P. Issawi
Rasputin :: Jack of All Trades - Master of Nuns