[gentoo-dev] User authentication ideas

[gentoo-dev] User authentication ideas

[gdjohn]

I've recently been busying myself setting up Kerberos/LDAP directory to
provide a NIS like authentication system for my small LAN (hopefully
allowing single sign on at some point in the near future).

What I have found is that it is currently quite a big job to get all of
this sorted on a Gentoo server, and even when it's all running, it doesn't
play nicely with portage (or rather, there are some ebuilds that don't
play nicely with NIS like systems).

The main problems I've found are that some ebuilds grep /etc/passwd to see
if a specific user exists on the system, and then go and add the
user/group with the useradd/groupadd commands.  Obviously, this doesn't
work for users whose credentials are stored somewhere other than
/etc/passwd.

What I would like to propose is some sort of virtual package, maybe
virtual/auth. The standard /etc/{passwd,group,shadow} authentication
mechanism should be retained as the default (maybe call it auth-files or
auth-shadow).  The key thing here though, is that each package that
provides virtual/auth must provide a user{add,del} and group{add,del}
command (maybe useradd.packagename, etc. with symlinks to /sbin/useradd).

I am quite prepared to put some effort in to putting together a
sys-auth/krb5-ldap ebuild, but there will need to be some coordination. It
would be nice to be able to offer some sort of tool to switch between
authentication mechanisms, a la RedHat authconfig.

Can anybody see any problems, advantages, disadvantages, glaring issues in
what I'm suggesting?

Cheers,

Gareth.




--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] User authentication ideas

[Paul de Vrieze]

> I've recently been busying myself setting up Kerberos/LDAP directory
> to provide a NIS like authentication system for my small LAN (hopefully
> allowing single sign on at some point in the near future).
>
> What I have found is that it is currently quite a big job to get all of
> this sorted on a Gentoo server, and even when it's all running, it doesn't
> play nicely with portage (or rather, there are some ebuilds that don't
> play nicely with NIS like systems).
>
> The main problems I've found are that some ebuilds grep /etc/passwd to see
> if a specific user exists on the system, and then go and add the
> user/group with the useradd/groupadd commands.  Obviously, this doesn't
> work for users whose credentials are stored somewhere other than
> /etc/passwd.
>
> What I would like to propose is some sort of virtual package, maybe
> virtual/auth. The standard /etc/{passwd,group,shadow} authentication
> mechanism should be retained as the default (maybe call it auth-files or
> auth-shadow).  The key thing here though, is that each package that
> provides virtual/auth must provide a user{add,del} and group{add,del}
> command (maybe useradd.packagename, etc. with symlinks to
> /sbin/useradd).
>
> I am quite prepared to put some effort in to putting together a
> sys-auth/krb5-ldap ebuild, but there will need to be some coordination. It
> would be nice to be able to offer some sort of tool to switch between
> authentication mechanisms, a la RedHat authconfig.
>
> Can anybody see any problems, advantages, disadvantages, glaring issues in
> what I'm suggesting?
>

I think this is a good idea although problems could arise when
authentication is necessary to allow adding users. (maybe a list of
pending modifications could be used). I don't see that much the virtue of
authconfig, but it if a user-list method is provided together with a
user-insert/mod method, then switching should be possible (be wary of not
automatically converting certain system users)

Paul

-- 
Paul de Vrieze
Researcher
Mail: pauldv@cs.kun.nl
Homepage: http://www.devrieze.net




--
gentoo-dev@gentoo.org mailing list