Hi folks, did we ever arrive at a consensus on a general solution to the user-level password storage/accounts (see the "Kerberos and remctl" discussion in September)? I'm looking into a similar question: how do we safely grant different users access to multiple services on the box?
Please let me know if I'm missing some basic information or understanding here, and I'll get back to researching. I'm worried that I might be conflating two different, independent, concerns here. There are two basic approaches, both of which seem to have their disadvantages: 1. Keep user accounts separate for each service, let each service handle logins and user accounts. For example, if I hosted a XMPP and Wiki service on my box, users would have separate logins for each of those. This is bad because it duplicates logins and asks each service to handle logins on its own. If you're running five services on your box, chances are good that at least one of them is putting your login information at risk. This is good because it keeps your service level login separate from the system level login. Specific user accounts can't put the system at risk because they don't exist in the system. 2. Tie service logins into the system-level logins. For example, if I hosted an XMPP and Wiki service on my box, users would also have a system (shell) level login that each service looked to for authentication. This is bad because it hands malicious users a shell-level account. We could attempt to close that hole with the nologin shell, but it still feels dangerous. It also requires us to use services that can pass authentication off to other login services (see LDAP). This is good because it means users will have only a single password/authentication mechanism to guard. This increases system security by helping protect users from themselves. This also gives us a single point to modify and update authentication methods in the future. As far as I see it, those are our trade offs: put the user at risk (1) through foolish service configuration or put the system at risk (2) to malicious users. I'm leaning more toward option 2 because it *prevents individual users from engaging in bad password management practices,* but I'd like to hear if somebody has already thought this through. This came up because I *really* want to get password storage out of Plinth. It's fine that it's there now, but it should probably be removed by 1.0. (Yay bus rides. Lots of thinking time.) Nick
pgpKMESIwUlc4.pgp
Description: PGP signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
