In order: * Local accounts and passwords, managed by some central configuration tool such as puppet or chef. Trade-offs include the security of the central password management system, and access to local stored passwords in /etc/shadow. Can be combined with SSH key deployment and sudo configuration to provide quite a sophisticated setup for small environments. Many, many, many tools exist for this, most of which have deep flaws that may not affect your environment.
* NIS - old, stable, simple to set up, uses /etc/passwd and /etc/shadow and /etc/group from central server to publish shared configurations. Not well known for security, since for most setups random clients can connect and pull encrypted password information. Can be set up by untrained monkey, easily managed with "webmin". Used in places where "we trust the people we work with", and " if we have someone inside our network, we have much bigger problems" are used to set security standards. * NIS+ - Supposedly deals with a lot of the flaws of NIS. Never had a chance to play with it, myself. * LDAP - A gazillion distinct management and integration suites exist, including AD integrated account management for Windows users as well with many. One can create arbitrary new arrays of privilege and host integration, most of which will wind up ignored in practice. But straightforward registration of user accounts with uid, gid, home directory, and password is pretty straightforward with even the weirder suites. Typically relies on Kerberos for authentication, as opposed to account management. * Kerberos - Underlying authentication technology for most LDAP setups and especially AD and modern Samba systems. It is extremely robust and much safer than almost any other authentication technology for externally exposed accounts. More sensitive to DNS misconfiguration and NTP drift than other systems, but can provide authentication without the peskines sof LDAP for systems like website logins and centralized password management for accounts on local hosts. Note also, for Scientific Linux and these systems, that the configurations available from the built-in "authconfig" tool are not all the options and tuning available. The Kerberos options, for example, don[t have a way to *strip out* old domains or add multiple domains in /etc/krb5.conf: Tools like webmin do, but themselves take extra work and time to consider. I also recommend that you spend some time and get DNS or locally published /etc/hosts worked out so your hosts have consistent hostnames and IP addresses. That helps a lot of things, like logging connections among the hsots and dealing with changes in SSH keys being misreported by renamed or re-IP-addressed hosts. On Mon, Feb 17, 2014 at 9:39 AM, Jose Marques <[email protected]> wrote: > > On 17 Feb 2014, at 14:19, Tam Nguyen <[email protected]> wrote: > >> Btw, if security isn't your main concern, then have a look at NIS. > > In a previous job I used NIS in combination with Kerberos. No password data > was stored in NIS so it removed some of the security issues. > > You can also use something like Puppet to centrally manage users. > > The University of St Andrews is a charity registered in Scotland, No. > SC013532. >
