best way to remotely manage user credentials - Debian

This is a discussion on best way to remotely manage user credentials - Debian ; Hello I would like to hear some word in my problem. I have X servers with pam authentication and ssh daemon. People use ftp servers and run their applications but there should be one central server that will manage passwords ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: best way to remotely manage user credentials

  1. best way to remotely manage user credentials

    Hello
    I would like to hear some word in my problem.
    I have X servers with pam authentication and ssh daemon.
    People use ftp servers and run their applications but there should be
    one central server that will manage passwords and users.

    I would like to use something like

    /usr/bin/changepassword

    there's no problem writing such thing with bash and ssh keys but maybe
    someone knows better solution ?

    regards
    WZ

    --
    Wojciech Ziniewicz
    Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    ct;umount;makeclean; zip;split;done;exit:xargs!!}


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: best way to remotely manage user credentials

    Hi, WZ,

    I think that the best way to do this is integrating your systems with a
    LDAP directory, or something similar.

    Regards,
    --
    Diego Evaristo de Lacerda (diegolacerda@gmail.com)
    Project Analyst
    LPIC Level III & Redhat Certified Engineer & Cisco Certified Network
    Associates

    URL: conectado.motime.com

    On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:
    > Hello
    > I would like to hear some word in my problem.
    > I have X servers with pam authentication and ssh daemon.
    > People use ftp servers and run their applications but there should be
    > one central server that will manage passwords and users.
    >
    > I would like to use something like
    >
    > /usr/bin/changepassword
    >
    > there's no problem writing such thing with bash and ssh keys but maybe
    > someone knows better solution ?
    >
    > regards
    > WZ
    >
    > --
    > Wojciech Ziniewicz
    > Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    > ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    > ct;umount;makeclean; zip;split;done;exit:xargs!!}




    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBIKNsfrWR2/j9WrhMRAtYwAJ0UwSC/bnx4+ApPTPmDVp5oEXojZQCeIoUM
    vCseTs+7ghp9HdOeL+PY0QQ=
    =dZOb
    -----END PGP SIGNATURE-----


  3. Re: best way to remotely manage user credentials

    On 12.05.08 18:21, Wojciech Ziniewicz wrote:
    > I would like to hear some word in my problem.
    > I have X servers with pam authentication and ssh daemon.
    > People use ftp servers and run their applications but there should be
    > one central server that will manage passwords and users.
    >
    > I would like to use something like
    >
    > /usr/bin/changepassword


    just note that when someone does 'ps' on machine you when execute this
    script, (s)he can see arguments, therefore the password. Yes, grsecurity
    patch can prevent ordinary people from seeing the password, but this is
    usually not taken as secure...

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    The only substitute for good manners is fast reflexes.


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: best way to remotely manage user credentials

    Wojciech Ziniewicz wrote:
    > Hello
    > I would like to hear some word in my problem.
    > I have X servers with pam authentication and ssh daemon.
    > People use ftp servers and run their applications but there should be
    > one central server that will manage passwords and users.
    >
    > I would like to use something like
    >
    > /usr/bin/changepassword
    >
    > there's no problem writing such thing with bash and ssh keys but maybe
    > someone knows better solution ?


    There's more easy way than writing it with a bash script. Use NSSMySQL
    and write a small php/python/ruby/perl/whatever-you-like web application
    for your users to change the password stored in MySQL. The other
    advantage is that it's going to be damned easy to reuse this with
    network, and to do backups. You can encrypt the MySQL connection if you
    wish to prevent sniffing.

    Thomas


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: best way to remotely manage user credentials

    2008/5/13 Matus UHLAR - fantomas :

    > just note that when someone does 'ps' on machine you when execute this
    > script, (s)he can see arguments, therefore the password. Yes, grsecurity
    > patch can prevent ordinary people from seeing the password, but this is
    > usually not taken as secure...


    sure, it would be not secure if the "managing" server was a multiuser system.
    there's only www server without ftp,ssh etc .

    i hear "ldap" all the time but dont think that ldap will be the remedy.

    more or less -thanks for feedback


    regards
    wojtek ziniewicz

    --
    Wojciech Ziniewicz
    Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    ct;umount;makeclean; zip;split;done;exit:xargs!!}


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: best way to remotely manage user credentials

    2008/5/13 Thomas Goirand :
    > There's more easy way than writing it with a bash script. Use NSSMySQL
    > and write a small php/python/ruby/perl/whatever-you-like web application
    > for your users to change the password stored in MySQL. The other
    > advantage is that it's going to be damned easy to reuse this with
    > network, and to do backups. You can encrypt the MySQL connection if you
    > wish to prevent sniffing.


    I tried nss-mysql with no success.

    i have to store and use information that is exactly the same as normal
    ordinary pam . what did not work with nss-mysql was su and passwd
    (users HAVE to use passwd on those systems )

    probably i will write something like master server with mysql database
    that will be bash-style replicated on other servers.


    regards
    --
    Wojciech Ziniewicz
    Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    ct;umount;makeclean; zip;split;done;exit:xargs!!}


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  7. Re: best way to remotely manage user credentials

    On Tue, May 13, 2008 at 02:51:54PM +0200, Wojciech Ziniewicz wrote:
    > 2008/5/13 Thomas Goirand :
    > > There's more easy way than writing it with a bash script. Use NSSMySQL
    > > and write a small php/python/ruby/perl/whatever-you-like web application
    > > for your users to change the password stored in MySQL. The other
    > > advantage is that it's going to be damned easy to reuse this with
    > > network, and to do backups. You can encrypt the MySQL connection if you
    > > wish to prevent sniffing.

    >
    > I tried nss-mysql with no success.
    >
    > i have to store and use information that is exactly the same as normal
    > ordinary pam . what did not work with nss-mysql was su and passwd
    > (users HAVE to use passwd on those systems )
    >
    > probably i will write something like master server with mysql database
    > that will be bash-style replicated on other servers.


    Because NSS is only used for lookup (read-only) queries.

    For things like password management you need to install pam-mysql in
    addition to nss-mysql and point its configuration to the same database
    as NSS. I did it some time ago and it worked fine.

    I had some issues with nscd instability though -- it crashed quite often
    in this setup and I had to put a monitoring for that. I installed nscd
    to decrease the load on the database.

    Marcin
    --
    +---------------------------------------+
    | -o) http://wanted.eu.org/
    | /\\ Message void if penguin violated
    + _\_V Don't mess with the penguin


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  8. Re: best way to remotely manage user credentials

    Alternatively use Kerberos..
    http://www.debian-administration.org/articles/570

    On Tue, May 13, 2008 at 2:34 PM, Joel Merrick
    wrote:

    > http://www.debian-administration.org/articles/585
    >
    >
    >
    > On Tue, May 13, 2008 at 1:04 AM, Diego Lacerda
    > wrote:
    >
    > > Hi, WZ,
    > >
    > > I think that the best way to do this is integrating your systems with a
    > > LDAP directory, or something similar.
    > >
    > > Regards,
    > > --
    > > Diego Evaristo de Lacerda (diegolacerda@gmail.com)
    > > Project Analyst
    > > LPIC Level III & Redhat Certified Engineer & Cisco Certified Network
    > > Associates
    > >
    > > URL: conectado.motime.com
    > >
    > > On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:
    > > > Hello
    > > > I would like to hear some word in my problem.
    > > > I have X servers with pam authentication and ssh daemon.
    > > > People use ftp servers and run their applications but there should be
    > > > one central server that will manage passwords and users.
    > > >
    > > > I would like to use something like
    > > >
    > > > /usr/bin/changepassword
    > > >
    > > > there's no problem writing such thing with bash and ssh keys but maybe
    > > > someone knows better solution ?
    > > >
    > > > regards
    > > > WZ
    > > >
    > > > --
    > > > Wojciech Ziniewicz
    > > > Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    > > > ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    > > > ct;umount;makeclean; zip;split;done;exit:xargs!!}

    > >
    > >
    > >

    >
    >
    > --
    > echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'





    --
    echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'


  9. Re: best way to remotely manage user credentials

    http://www.debian-administration.org/articles/585


    On Tue, May 13, 2008 at 1:04 AM, Diego Lacerda
    wrote:

    > Hi, WZ,
    >
    > I think that the best way to do this is integrating your systems with a
    > LDAP directory, or something similar.
    >
    > Regards,
    > --
    > Diego Evaristo de Lacerda (diegolacerda@gmail.com)
    > Project Analyst
    > LPIC Level III & Redhat Certified Engineer & Cisco Certified Network
    > Associates
    >
    > URL: conectado.motime.com
    >
    > On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:
    > > Hello
    > > I would like to hear some word in my problem.
    > > I have X servers with pam authentication and ssh daemon.
    > > People use ftp servers and run their applications but there should be
    > > one central server that will manage passwords and users.
    > >
    > > I would like to use something like
    > >
    > > /usr/bin/changepassword
    > >
    > > there's no problem writing such thing with bash and ssh keys but maybe
    > > someone knows better solution ?
    > >
    > > regards
    > > WZ
    > >
    > > --
    > > Wojciech Ziniewicz
    > > Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    > > ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    > > ct;umount;makeclean; zip;split;done;exit:xargs!!}

    >
    >
    >



    --
    echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'


  10. Re: best way to remotely manage user credentials

    On Tue, May 13, 2008 at 02:51:54PM +0200, Wojciech Ziniewicz wrote:
    > 2008/5/13 Thomas Goirand :
    > > There's more easy way than writing it with a bash script. Use NSSMySQL
    > > and write a small php/python/ruby/perl/whatever-you-like web application
    > > for your users to change the password stored in MySQL. The other
    > > advantage is that it's going to be damned easy to reuse this with
    > > network, and to do backups. You can encrypt the MySQL connection if you
    > > wish to prevent sniffing.

    >
    > I tried nss-mysql with no success.
    >
    > i have to store and use information that is exactly the same as normal
    > ordinary pam . what did not work with nss-mysql was su and passwd
    > (users HAVE to use passwd on those systems )
    >
    > probably i will write something like master server with mysql database
    > that will be bash-style replicated on other servers.


    Is https://secure.mysociety.org/cvstrac...y/bin/usersync
    any use?


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  11. Re: best way to remotely manage user credentials

    2008/5/13 Adam McGreggor :
    > Is https://secure.mysociety.org/cvstrac...y/bin/usersync
    > any use?


    Hi,
    this is that what I was looking for - TY .

    regards.




    --
    Wojciech Ziniewicz
    Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
    ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
    ct;umount;makeclean; zip;split;done;exit:xargs!!}


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread