Menu
▾
▴
astlinux-users
|
From: Lenir S. <fla...@ya...> - 2007-03-05 21:25:24
|
Is there any way to get pam_ldap authentication or nss_ldap or both working on Astlinux? --------------------------------- Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. |
|
From: Bryce C. <br...@rh...> - 2007-03-05 21:30:18
|
Lenir, pam_ldap and nss_ldap are for using LDAP as a way to authenticate and resolve system user/group data from an LDAP source, however astlinux only has one user as it should, root, which should never be authenticated over LDAP. Is this what you're trying to do? Or what exactly are you trying to authenticate? Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Lenir Santiago wrote: > Is there any way to get pam_ldap authentication or nss_ldap or both > working on Astlinux? > > ------------------------------------------------------------------------ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! > Games. <http://us.rd.yahoo.com/evt=49936/*http://videogames.yahoo.com> > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lenir S. <fla...@ya...> - 2007-03-05 22:03:24
|
we have about 20 boxes in client offices which we manage for them, and what we want to do is prevent root access via ssh (for security) and use a maintenance account (or one for each of our techs) to login to the box if we need to and if we ever need to change a password (or all passwords) we can do it at the ldap server. Also if its easier, radius would also work for us. Bryce Chidester <br...@rh...> wrote: Lenir, pam_ldap and nss_ldap are for using LDAP as a way to authenticate and resolve system user/group data from an LDAP source, however astlinux only has one user as it should, root, which should never be authenticated over LDAP. Is this what you're trying to do? Or what exactly are you trying to authenticate? Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Lenir Santiago wrote: Is there any way to get pam_ldap authentication or nss_ldap or both working on Astlinux? --------------------------------- Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. --------------------------------- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV --------------------------------- _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... --------------------------------- Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. |
|
From: Bryce C. <br...@rh...> - 2007-03-05 22:17:10
|
Lenir, I would suggest disabling console logins, disabling password authentication and root login in SSH, and create a maintenance account with a disabled password (or disable passwords altogether in PAM), then use SSH keys for authentication. This accomplishes the security aspect. As far as changing access restrictions, you could simply have a master copy of authorized_keys containing the SSH keys of only those technicians that are authorized to connect, and use a nightly cron job to update this list on the boxes. Finally, to ensure that the clients don't just slip their own authorized_keys in, be sure to use gnupg to sign the authorized_keys master file and check it upon every download. I'm pretty sure this would take care of your requirements immediately as well as prevent any sensitive data from crossing public networks (you never put radius over the internet only across protected networks in secure environments.) Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Lenir Santiago wrote: > we have about 20 boxes in client offices which we manage for them, and > what we want to do is prevent root access via ssh (for security) and > use a maintenance account (or one for each of our techs) to login to > the box if we need to and if we ever need to change a password (or all > passwords) we can do it at the ldap server. Also if its easier, radius > would also work for us. > > */Bryce Chidester <br...@rh...>/* wrote: > > Lenir, > pam_ldap and nss_ldap are for using LDAP as a way to authenticate > and resolve system user/group data from an LDAP source, however > astlinux only has one user as it should, root, which should never > be authenticated over LDAP. Is this what you're trying to do? Or > what exactly are you trying to authenticate? > > Regards, > Bryce Chidester > Rhino Equipment Corp. > br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. > > > > Lenir Santiago wrote: >> Is there any way to get pam_ldap authentication or nss_ldap or >> both working on Astlinux? >> ------------------------------------------------------------------------ >> Be a PS3 game guru. >> Get your game face on with the latest PS3 news and previews at >> Yahoo! Games. >> <http://us.rd.yahoo.com/evt=49936/*http://videogames.yahoo.com> >> ------------------------------------------------------------------------ >> ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> ------------------------------------------------------------------------ >> _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal >> to pa...@kr.... > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > > > ------------------------------------------------------------------------ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! > Games. <http://us.rd.yahoo.com/evt=49936/*http://videogames.yahoo.com> > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Kristian K. <kri...@gm...> - 2007-03-06 05:20:32
|
On 3/5/07, Lenir Santiago <fla...@ya...> wrote: > we have about 20 boxes in client offices which we manage for them, and what > we want to do is prevent root access via ssh (for security) and use a > maintenance account (or one for each of our techs) to login to the box if we > need to and if we ever need to change a password (or all passwords) we can > do it at the ldap server. Also if its easier, radius would also work for us. > > Hmmm... That is interesting. The real problem is going to be that uClibc and all of the other base components of AstLinux don't support NSS or PAM. Those things are usually not required (or wanted) in embedded systems. I like Bryce's SSH key idea. -- Kristian Kielhofner |
|
From: Bryce C. <br...@rh...> - 2007-03-06 07:41:17
|
Thanks Kris! I'm honoured. There's one further issue of absolute securement that I can't quite figure out yet though which is the matter of physical access. If they simply mount the CF card, then they can replace the original cron job with an insecure one, or worse yet simply remove it all and then they've got total control. Then again, LDAP and Radius are both susceptible to this "brute force" :-P attack. However I am definitely interested in solving this. Perhaps using a strictly ROM FS? Unpacking an FS out of NVRAM? I'm kind of leaning towards the latter as it's still upgradeable, perhaps using a signed flashing utility, but as I understand SquashFS, it would seem to be the even simpler route. Does anyone have experience with this? It seems like a pure read-only FS (i.e. a la CD) would be ideal for Astlinux, and a local CF medium would provide for very fast boot times. Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Kristian Kielhofner wrote: > On 3/5/07, Lenir Santiago <fla...@ya...> wrote: > >> we have about 20 boxes in client offices which we manage for them, and what >> we want to do is prevent root access via ssh (for security) and use a >> maintenance account (or one for each of our techs) to login to the box if we >> need to and if we ever need to change a password (or all passwords) we can >> do it at the ldap server. Also if its easier, radius would also work for us. >> >> >> > > Hmmm... > > That is interesting. > > The real problem is going to be that uClibc and all of the other > base components of AstLinux don't support NSS or PAM. Those things > are usually not required (or wanted) in embedded systems. > > I like Bryce's SSH key idea. > > |
|
From: Lenir S. <fla...@ya...> - 2007-03-06 17:12:32
|
Would you be interested in doing some consulting work for us or recommend someone? We like Astlinux but for our needs is a bit limited. We are running on a mini-itx board (EPIA MII 1200) and want to boot off a USB flash pen and use the CF card slot to as the KD. We like how astlinux works (ro filesystem, busybox, etc.) What we want is like a Astlinux on steroids. We noticed that is somewhat based on Gentoo. So what we want is all the funtionality of Astlinux but running on a tiny version of Gentoo. Instead of uclibc, we want to use the normal libraries and also use the portage package, php, Zend optimizer, etc...all this to run off a 1G usb flash pen and still use the CF as a KD. You may reach me at lsa...@tr..., or at work +1-561-214-6241 if you have any questions. Regards, Lenir Santiago Tristar Support Kristian Kielhofner <kri...@gm...> wrote: On 3/5/07, Lenir Santiago wrote: > we have about 20 boxes in client offices which we manage for them, and what > we want to do is prevent root access via ssh (for security) and use a > maintenance account (or one for each of our techs) to login to the box if we > need to and if we ever need to change a password (or all passwords) we can > do it at the ldap server. Also if its easier, radius would also work for us. > > Hmmm... That is interesting. The real problem is going to be that uClibc and all of the other base components of AstLinux don't support NSS or PAM. Those things are usually not required (or wanted) in embedded systems. I like Bryce's SSH key idea. -- Kristian Kielhofner ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... --------------------------------- Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X