On Fri, 2002-06-07 at 06:15, Steven Hildreth wrote: > > I need to setup a single point authentication for my LAN/WAN.
You'll probably want to set up LDAP for name lookups to replace NIS, and Kerberos for authentication. LDAP, as a directory service, does not actively "authenticate" users. It's just a directory that can be used to store passwords in different formats, which may be required by different services. Passwords can be stored in plain text (required for CRAM-MD5 or DIGEST-MD5 authentication, among others), DES hash or MD5 hash (can be used by most UNIX services, as this is the type of information in /etc/passwd or /etc/shadow), or NTLM hash (used by Samba). However, they all must be guarded very closely, because exposing two of those (plain text and NTLM) will lead to immediate security breaches. The other two (DES or MD5 hash) can be used for dictionary based attacks, and users with poorly chosen passwords will be compromised. Kerberos, on the other hand, uses strong encryption techniques to make sure that passwords are not exposed. Passwords are stored on the server, and encrypted tickets are passed around on the network, which can be decrypted using the users' passwords. The passwords themselves don't travel across the network. This is an excellent mechanism for any service which supports Kerberos or PAM (which can authenticate against a Kerberos server). > Some of the Linux boxes are Samba servers serving Win2k machines > files/print shares, it is also possible to have those workstations use > the same authentication mechanism? If you opt to store the NTLM hash in LDAP and modify your Samba to support LDAP, yes. If you opt to use Kerberos, and modify Samba to support Kerberos AND modify all of your Windows desktops to send plain text, rather than encrypted passwords, then yes. However, AFAIK, the method that will be most secure and require the least amount of work on your part, will be to provide users with a common password change interface which will both store their password in LDAP or Kerberos and also in a master smbpassword file. In addition to running LDAP and Kerberos, you should also run Samba (on a separate server if you like). Your other Samba servers can use that instance as a PDC or password server to authenticate their local Windows users (using encrypted passwords). > I have read +/-'s about both LDAP and Kerberos authentication, and I am > wondering which has better real world application benefits for this > particular situation. Depends on what needs to authenticate. Sadly, although LDAP is becoming an increasingly well supported place to store your authentication credentials, it is still up to applications to decide what format those credentials must take. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
