[TriLUG] Password Security

Andrew C. Oliver acoliver at buni.org
Mon Jul 23 22:14:13 EDT 2007


Windows, oracle, vnc all support LDAP.  Many if not most applications do 
as well.  Linux-PAM supports LDAP as do most UNIX operating systems. 
The only catch is you may have to run or replicate to active directory 
but it is possible to achieve at least an 80-90% solution with a high 
degree of security in this manner.  This is exactly what it is designed for.

-andy

Ron Joffe wrote:
> In addition to Linux logins we have a large number of other types of 
> usernames/passwords to keep track of. This includes everything from oracle 
> logons, vnc passwords, vpn tunnel authentication, Application passwrods, 
> Windows domain logons, etc etc etc. We work in quite a complex multi 
> application environment, and we have 10 completely separate clients to worry 
> about.
> 
> The solution we are looking for can not be handled purely by sudo, PAM, etc. 
> Although I appreciate the pointers, we are looking for a far wider solution 
> for password management.
> 
> Thanks,
> 
> Ron
> 
> 
> 
> On Monday 23 July 2007 18:53, Andrew C. Oliver wrote:
>> Linux authentication can take place with a series of stackable modules
>> via PAM (http://www.kernel.org/pub/linux/libs/pam/modules.html).  There
>> are all manner of modules that could authenticate against some internet
>> accessible server (be careful to encrypt the stream, avoid DNS, etc).
>> You could ask that customers maintain some pam module that uses your
>> directory server (LDAP or otherwise) and your admins could just login
>> using their normal username.  They could also be listed in Sudo
>> http://en.wikipedia.org/wiki/Sudo so they could always become root.  In
>> fact on Ubuntu, an ever popular linux distribution, you generally create
>>   a user account and it has sudo access.  You generally don't actually
>> ever type the root password.
>>
>> -Andy
>>
>> Ron Joffe wrote:
>>> On Monday 23 July 2007 14:28, Andrew C. Oliver wrote:
>>>>> Now what do you do when you have to keep a list of passwords sync'd
>>>>> between a set of support technicians ?
>>>> This is a REALLY bad idea procedurally to share a set of passwords
>>>> between users if that is what you mean.
>>> I have 4 people responsible for after hours support on a growing number
>>> of client systems. Could you please post your suggestions as to how they
>>> all should gain privs on those servers? I have my own ideas, but rather
>>> then taint your answer, I would like to get a fresh perspective.
>>>
>>> Thanks,
>>>
>>> Ron


-- 
Buni Meldware Communication Suite
http://buni.org
Multi-platform and extensible Email,
Calendaring (including freebusy),
Rich Webmail, Web-calendaring, ease
of installation/administration.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3629 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20070723/486e9756/attachment.bin>


More information about the TriLUG mailing list