Menu
▾
▴
Re: [Astlinux-users] LDAP authentication
|
From: Bryce C. <br...@rh...> - 2007-03-05 22:17:10
|
Lenir, I would suggest disabling console logins, disabling password authentication and root login in SSH, and create a maintenance account with a disabled password (or disable passwords altogether in PAM), then use SSH keys for authentication. This accomplishes the security aspect. As far as changing access restrictions, you could simply have a master copy of authorized_keys containing the SSH keys of only those technicians that are authorized to connect, and use a nightly cron job to update this list on the boxes. Finally, to ensure that the clients don't just slip their own authorized_keys in, be sure to use gnupg to sign the authorized_keys master file and check it upon every download. I'm pretty sure this would take care of your requirements immediately as well as prevent any sensitive data from crossing public networks (you never put radius over the internet only across protected networks in secure environments.) Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Lenir Santiago wrote: > we have about 20 boxes in client offices which we manage for them, and > what we want to do is prevent root access via ssh (for security) and > use a maintenance account (or one for each of our techs) to login to > the box if we need to and if we ever need to change a password (or all > passwords) we can do it at the ldap server. Also if its easier, radius > would also work for us. > > */Bryce Chidester <br...@rh...>/* wrote: > > Lenir, > pam_ldap and nss_ldap are for using LDAP as a way to authenticate > and resolve system user/group data from an LDAP source, however > astlinux only has one user as it should, root, which should never > be authenticated over LDAP. Is this what you're trying to do? Or > what exactly are you trying to authenticate? > > Regards, > Bryce Chidester > Rhino Equipment Corp. > br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. > > > > Lenir Santiago wrote: >> Is there any way to get pam_ldap authentication or nss_ldap or >> both working on Astlinux? >> ------------------------------------------------------------------------ >> Be a PS3 game guru. >> Get your game face on with the latest PS3 news and previews at >> Yahoo! Games. >> <http://us.rd.yahoo.com/evt=49936/*http://videogames.yahoo.com> >> ------------------------------------------------------------------------ >> ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> ------------------------------------------------------------------------ >> _______________________________________________ Astlinux-users mailing list Ast...@li... https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal >> to pa...@kr.... > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal > to pa...@kr.... > > > ------------------------------------------------------------------------ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! > Games. <http://us.rd.yahoo.com/evt=49936/*http://videogames.yahoo.com> > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
