Hi all, I recently decided it would be a good thing to centralize all of the user information and authentication on my network. After some reading I found that Kerberos will provide me th necessary secure authentication scheme, and OpenLDAP should provide me the user information DB. Both appear to have available PAM modules, but I lack the foresight on how to proceed. Here is my theory and how I want to set it up:
Users are allowed to login using ssh or local login via virtual terminal or WDM. I am using the default WDM and Xauth setup currently in Debian. Correct me if I am wrong, but the current version of X uses Xauth by default. So far this has proven secure. Telnet and rlogin are explicitly disallowed. To accomplish this I would like login to use Kerberos for authentication first with unix login as a fall back. The auth lines in /etc/pam.d/login could be like the following: auth required pam_nologin.so auth sufficient pam_krb5.so auth required pam_unix.so Theoretically this will allow Kerberos to authenticate the user and if failed pass authentication to local unix authentication. Since Kerberos only provides authentication, I have to use another method to set up the account information for the user. This is where I would like to use OpenLDAP so I can centrally manage user account information. So I think the following account lines would be needed for setting up user account info using LDAP: account sufficient pam_ldap.so account required pam_unix.so Again this should use LDAP first and fall back to local unix if needed. Ideally this would be all I need to do. However since we used Kerberos above, I think I would have to use the following as well for the password and session sections; password sufficient pam_kerb5.so password required pam_unix.so session required pam_kerb5.so session required pam_unix.so Should use Kerberos password to allow password changes by the user and the session one maintains the session key until logout. (I read something on this but cannot find it now. So I could be very wrong.) They both have the usual fall back to pam_unix.so. So all of that is essentially theory and I was wondering if anyone has any suggestions. Especially the existing OpenLDAP and Kerberos maintainers. Steve Langasek, you seem to have written a pam module before, any suggestions? For the curious, I have read up on this. I am simply not very confident of my understanding. Any help would be great. Please reply to me directly or CC me. I am not subscribed to the list. (Wasn't there a thing on how to handle this in mutt recently....) Thanks, Matthew P. McGuire -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Matthew P. McGuire <[EMAIL PROTECTED]> 1024D/E21C0E88 CB82 7859 26B2 95E3 1328 5198 D57A D072 E21C 0E88 When choice matters, choose Debian. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]