OT: password management

OT: password management

[Miguel González Castaños]

dear all,

 I would like to know how you guys solve the problem about how to
manage passwords of a bunch of accounts in different servers in a safe
way of course (generating new passwords, save/retrieve them, etc) but
easyly accesable at
the same time...

 Many thanks in advance.

 Miguel

Re: OT: password management

[Saint Neon]

--- Miguel González Castaños <mgc@tid.es> wrote:
> dear all,
> 
>  I would like to know how you guys solve the problem
> about how to
> manage passwords of a bunch of accounts in different
> servers in a safe
> way of course (generating new passwords,
> save/retrieve them, etc) but
> easyly accesable at
> the same time...

PAM (Pluggable Application Modules) provide a
centralized mechanism for authenticating all services.
It applies to login, rlogin, telnet, rsh, PPP, su
among others. In fact, PAM can be used for any linux
application. The best documentation is available at

http://www.kernel.org/linux/libs/pam/

Neon.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: OT: password management

[Miguel González Castaños]

Hello again,

 I think I didnt explain myself well.

 I was asking how you admins solve the problem of having to administer
several servers. This normally
has the problem of managing different password, change them
periodically, etc. I have read in the
linux network administration guide that there are tools that ease the
management of such passwords, generate
new passwords, etc.

 I dont know if I am making the question in the wrong way, I hope you
understand me.

 About PAM and LDAP I think both systems are to authenticate one user in
one or several services in one or several servers (like in the case of
LDAP).

 I am asking more about how you manage different accounts in different
servers of different customers.

 Sorry for the misunderstanding and my poor English

 Many thanks in advance

 Miguel

Saint Neon ha escrito:

> --- Miguel González Castaños <mgc@tid.es> wrote:
> > dear all,
> >
> >  I would like to know how you guys solve the problem
> > about how to
> > manage passwords of a bunch of accounts in different
> > servers in a safe
> > way of course (generating new passwords,
> > save/retrieve them, etc) but
> > easyly accesable at
> > the same time...
>
> PAM (Pluggable Application Modules) provide a
> centralized mechanism for authenticating all services.
> It applies to login, rlogin, telnet, rsh, PPP, su
> among others. In fact, PAM can be used for any linux
> application. The best documentation is available at
>
> http://www.kernel.org/linux/libs/pam/
>
> Neon.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: OT: password management

[Milan P. Stanic]

On Wed, Jan 08, 2003 at 04:38:54PM +0100, Miguel González Casta?os wrote:

> I was asking how you admins solve the problem of having to
> administer several servers. This normally has the problem of
> managing different password, change them periodically, etc. I have
> read in the linux network administration guide that there are tools
> that ease the management of such passwords, generate new passwords,
> etc.

I'm using pwman. Short description:

PWman is a password management application which uses GnuPG to encrypt
data before it is saved to your harddrive. Text-based use the ncurses
library. UI based on that of abook <jheinonen@users.sourceforge.net>
from which some code is taken.

Milan
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: OT: password management

[Shaw, Marco]

>PAM (Pluggable Application Modules) provide a
>centralized mechanism for authenticating all services.
>It applies to login, rlogin, telnet, rsh, PPP, su
>among others. In fact, PAM can be used for any linux application. The best documentation is available at

>http://www.kernel.org/linux/libs/pam/

>Neon.

Keeping in mind, that unless I'm mistaken of some unknown functionality, PAM does not support a "distributed architecture".  In other words, it's good for the server it's running on only.  If the original poster is looking to centralize account management, then PAM, by itself will not be sufficient.

Something like NIS, NIS+, or some kind of centralized LDAP database would need to be setup.

Marco
RHCE

RE: OT: password management

[Alok K. Dhir]

Actually, PAM in itself doesn't have any bearing on the architecture
being distributed or not - that is, you can easily set PAM up to use an
LDAP or NIS back end, and it will use it.

> -----Original Message-----
> From: linux-admin-owner@vger.kernel.org 
> [mailto:linux-admin-owner@vger.kernel.org] On Behalf Of Shaw, Marco
> Sent: Wednesday, January 08, 2003 10:44 AM
> To: linux-admin@vger.kernel.org
> Subject: RE: OT: password management
> 
> 
> 
> >PAM (Pluggable Application Modules) provide a
> >centralized mechanism for authenticating all services.
> >It applies to login, rlogin, telnet, rsh, PPP, su
> >among others. In fact, PAM can be used for any linux 
> application. The 
> >best documentation is available at
> 
>http://www.kernel.org/linux/libs/pam/

>Neon.

Keeping in mind, that unless I'm mistaken of some unknown functionality,
PAM does not support a "distributed architecture".  In other words, it's
good for the server it's running on only.  If the original poster is
looking to centralize account management, then PAM, by itself will not
be sufficient.

Something like NIS, NIS+, or some kind of centralized LDAP database
would need to be setup.

Marco
RHCE
-
To unsubscribe from this list: send the line "unsubscribe linux-admin"
in the body of a message to majordomo@vger.kernel.org More majordomo
info at  http://vger.kernel.org/majordomo-info.html

RE: OT: password management

[Saint Neon]

Sorry about the previous answer. :)
Yep, I do think that PAM isnt directly affected by a
distributed architecture, though, I have to say, that
I will have to look up into how to go about doing it.
Maybe you will have to write your own little shell
script for it :( But I really think PAM can do it.

The other solution to do this would be NIS(YP), or
NIS+, as someone said before. But I am a little
against it, because NIS has had its share of security
problems. I looked up some websites, and this is what
I have:

for NIS and NIS+ HOWTO,
http://www.ibiblio.org/mdw/HOWTO/NIS-HOWTO/

for NIS related security issues,
http://www.eng.auburn.edu/users/doug/nis.html

Take care that you will have to use utilities like
yppasswd, ypchfn, ypchsh instead of their couterparts
like passwd, chfn, chsh, because these things only
affect files on local systems, and not over a network.
They are required when distributing passwords over
NIS(YP).

Neon.

P.S -> the previous link in kernel.org is not
working.Sorry about that.

--- "Alok K. Dhir" <adhir@symplicity.com> wrote:
> Actually, PAM in itself doesn't have any bearing on
> the architecture
> being distributed or not - that is, you can easily
> set PAM up to use an
> LDAP or NIS back end, and it will use it.
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com