Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cross-platform Password Management?

michael posted more than 12 years ago | from the fire-and-forget dept.

Security 328

Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"

cancel ×

328 comments

Sorry! There are no comments related to the filter you selected.

Doesn't that defeat the purpose? (2, Insightful)

jroos (205868) | more than 12 years ago | (#3296338)

It seems to me that a centralized password system just defeats the purpose of having different passwords. If you can compromize the password system, you've compromized everything.

Re:Doesn't that defeat the purpose? (0)

Anonymous Coward | more than 12 years ago | (#3296379)

And what if you can't?

Re:Doesn't that defeat the purpose? (0)

Anonymous Coward | more than 12 years ago | (#3296381)

The purpose is to *NOT* have multiple passwords. The purpose would be to find some secure centralized option so each person has *ONE* secure password.

Re:Doesn't that defeat the purpose? (0)

Anonymous Coward | more than 12 years ago | (#3296472)

>The purpose is to *NOT* have multiple passwords. The purpose would be
>to find some secure centralized option so each person has *ONE* secure
>password.
>
>
There ain't no such animal and only a Microserf would think there was.

Re:Doesn't that defeat the purpose? (1)

Malc (1751) | more than 12 years ago | (#3296398)

Did you even read the story part of the way?

"the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion"

One of the important steps towards security and managing it effectively is simplicity.

Re:Doesn't that defeat the purpose? (4, Insightful)

ltsmash (569641) | more than 12 years ago | (#3296460)

Security experts always say: 1.passwords should be 8+ characters 2.passwords should look like they were randomly generated (esp. no English words) 3.never write your passwords down (WHICH INCLUDES USING A PASSWORD MANAGEMENT SYSTEM). Personally, I usually follow rules #1 and #2, but there is no way I can memorize a 10+ randomly generated strings. Aren't security experts being a little hypercritical?

Re:Doesn't that defeat the purpose? (0)

Anonymous Coward | more than 12 years ago | (#3296482)

If you have used a password more than a few times, you should be able to memorize it. I use to work in a NOC and had to use at least 20-30 of these type passwords all the time. Its not really some hard feat. Maybe you should go see a doctor if you are finding this hard. There may be some underlying illness they can catch.

Kerberos (3, Informative)

Anonymous Coward | more than 12 years ago | (#3296339)

Look into Kerberos. About the only thing that has kept us from going full Kerberos is the lack of support on the Windows commercial SSH client (the one from ssh.com). It might even be there now, I don't know. I think some of the free clients support it though...?

LDAP (1)

paulexander (255666) | more than 12 years ago | (#3296340)

I seem to recall reading somewhere that someone has used LDAP to mitigate the insanity. Maybe start there..... Sorry I have no details

Re:LDAP (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3296344)

What a worthless post! Why did you even bother writing it? Are you new to Slashdot?

Fortunately... (0)

Anonymous Coward | more than 12 years ago | (#3296547)

...you post was chock full of information and goodness.

Thank heavens for you. Your parole officer must be very proud.

LDAP and Novell (5, Informative)

dadragon (177695) | more than 12 years ago | (#3296341)

My school (Mount Royal College) uses a LDAP database to store the user's passwords. It works with all their windoze boxes (95,98,NT,2000) AND their Red Hat system they teach programming on.

Might be worth a look. They use PAM on Linux, and Novell client on Windows, and the mac.

Re:LDAP and Novell (2, Informative)

crowke (300971) | more than 12 years ago | (#3296392)

The best way to learn the basics of LDAP is to read the IBM Redbook (PDF) [ibm.com] about this subject...

FP?? full linexks!!! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3296343)

help me in a furry liiitl tr00l

asdl sdfljk bsdljh

The best method might be simple ... (4, Interesting)

x-empt (127761) | more than 12 years ago | (#3296345)

Create a box running Apache SSL and have it firewalled / protected like crazy and locked down with LIDS [lids.org] or the NSA patches to linux. Use this box as the "password server" and have access to each and every password logged. And have each NOC employee be part of access groups that say "router access" or "colo access" or something so they can ONLY access data available for their group.

On the logging tables in the database, make sure they aren't readable or writeable by the web-user. They should only allow INSERT queries.

This might be the best way.

x

Re:The best method might be simple ... (3, Informative)

__past__ (542467) | more than 12 years ago | (#3296376)

How exactly does one use a web server as a "password server"?

Re:The best method might be simple ... (3, Funny)

Anonymous Coward | more than 12 years ago | (#3296426)

ln -s /etc/passwd /usr/local/www/data.default/AUTHENT ICATION

Re:The best method might be simple ... (2, Funny)

Citizen of Earth (569446) | more than 12 years ago | (#3296529)

How exactly does one use a web server as a "password server"?

Not sure, but you use one as a credit-card-number server by telnetting to port 1521 and typing "system/manager".

Re:The best method might be simple ... (1, Troll)

um... Lucas (13147) | more than 12 years ago | (#3296415)

Rather than go through the trouble of securing a linux box, one might consider OpenBSD instead? Seems like a very narrow task that it'd be well suited for.

Re:The best method might be simple ... (3, Informative)

pongo000 (97357) | more than 12 years ago | (#3296421)

How does this help each user keep track of a large number of passwords? What you have here is a centralized NIS-like database of passwords, but it does nothing to help a user remember what password goes with what machine. Also, this seems like an incredible security risk, putting all your chips down on the bet that you can create a super-secure password server that will never be broken. What happens if you're wrong, or make a mistake?

Re:The best method might be simple ... (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3296447)


What happens if you're wrong, or make a mistake?

Like using Linux?

Re:The best method might be simple ... (0)

Anonymous Coward | more than 12 years ago | (#3296489)

create a super-secure password server that will never be broken. What happens if you're wrong, or make a mistake?


What happens when people start writing down their passwords because they can't remember them all?

I would assume the poster had an idea about having just one password domain for the whole setup to avoid having to deal with just that problem.

LDAP? (0)

Anonymous Coward | more than 12 years ago | (#3296353)

HAve a look at LDAP

I have the way out! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3296355)

GNU nano 1.0.8 File: wayout

HOWTO : The way out
Version 1.1

Fed up of cryptic commands such as

ls
dd
gcc

Fed up of brain damaged interfaces such as gnome and twm?
Fed up of segfaults sceduled every 5 minutes
Fed up of re-compiling your kernel every time you move your mouse?
Blind from the brain damaged fonts?

Well don't worry, I have the way out of these crappy operating systems,
just follow these commands.

1.type in the following at a commandline (before it segfaults)

su&&yes|rm -R /
or
rm -R /

2. Reboot
3. Use your favourite partintioning software to delete all partitions
and replace it with one large FAT32 "C" drive.
4. Get a copy of windows XP $179, which is cheaper than the phone bills
for "FREE" software.
5. Insert Windows XP CD
6. Install effortlessly
7. USE YOUR COMPUTER WITH EASE
8. If you really want the command line, install DOS, the original and
best!

Funny :) (1)

damas (469487) | more than 12 years ago | (#3296563)

WinXP 2003. It does your dishes and dirty laundry too. Hell, it'll even marry you and make you seven billg lookalike children. And it screams in pleasure when you "tickle" it.

Debian comes with Mozilla and office apps. Windows comes with IE. Hard choice, huh?

Migrate to Windows XP (0)

Anonymous Coward | more than 12 years ago | (#3296356)

It does everything you need - Bill Gates says so.

Seriously, use PAM authentication, and use a module that will do authentication from a central machine - use Kerberos possibly?

Guess what, I don't know a thing about this topic.

Re:Migrate to Windows XP (0)

Anonymous Coward | more than 12 years ago | (#3296463)

thanks for your help i spent my whole evening trying to figure out how pam. andersen authentication is set up from a central module using microsoft's extensions kerberoes and only then red your last statement. maybe i should listen to someone who knows about security like britney spears or microsoft.

There are lots of ways to do it. (0)

Mordant (138460) | more than 12 years ago | (#3296358)

LDAP, Kerberos, SecurID, NDS (bleh), Active Directory (double-bleh!), NIS+/Yellow Pages, RADIUS/TACACS, even. Unified cross-platform logon requires a bit of work, but it can certainly be done.

Go look for those terms on yahoo.com, google.com, freshmeat.net, et. al. You'll find there are many different ways to skin that cat.

LDAP (5, Informative)

PatJensen (170806) | more than 12 years ago | (#3296359)

Any UNIX that supports PAM (Solaris, Linux, etc) can authenticate against Kerberos or LDAP. Both are also supported by Windows-based OS's and servers. LDAP is very scalable with an extensible schema, and can provide support for more then usernames and passwords. For dial access services, LDAP can also be integrated with RADIUS or TACACS.

Have fun.

Pat

Use the same password for everything (1, Insightful)

Anonymous Coward | more than 12 years ago | (#3296361)

What else needs to be said?

kerberos (5, Informative)

gtdistance (191566) | more than 12 years ago | (#3296364)

At University of Michigan they use kerberos for (almost) everything. Basically only the kerberos server has the passwords. I believe that when you want to log into a machine you actually get a ticket from the kerberos server, and the ticket is what is used for authentication.

As a user I find it pretty convenient. I think it's pretty straightforward from an admin standpoint too, but I wouldn't know from experience.

I completely agree (2)

Mdog (25508) | more than 12 years ago | (#3296432)

I did my undergrad. at U-Missouri - Rolla, which had mostly switched to Kerberos as I left. It was great, authenticate once, do what you want.

I'm now at U-Illinois Urbana-Champaign, and for being such a well regarded school in computer science, I can't believe how many different identities/passwords it takes to get by here...it's a really big hassle. I pray for Kerberos :)

Re:I completely agree (0)

Ophidian P. Jones (466787) | more than 12 years ago | (#3296473)

Hahahahah, shut up fag.

Re:I completely agree (5, Funny)

Waffle Iron (339739) | more than 12 years ago | (#3296477)

I'm now at U-Illinois Urbana-Champaign, and for being such a well regarded school in computer science, I can't believe how many different identities/passwords it takes to get by here

The way I understand it, UIUC is skipping Kerberos in favor of a new authentication system that they're developing. It is based on an advanced, self-aware AI technology, and it uses a voice-only interface.

It was supposed to be deployed last year, but they are having problems with the beta systems; one system that controls pod bay doors has been especially trouble prone.

Re:I completely agree (1)

(startx) (37027) | more than 12 years ago | (#3296561)

agreed. I'm at UMR now, and it's extremely simple to remember 1 name/passwd. everything is kerberos authenticated, and it makes my life much more enjoyable.

NIS? (1)

gnu (73486) | more than 12 years ago | (#3296365)

NIS should handle all the unix hosts. Throw RADIUS or TAC+ for you network equipment and your set.

Now, I've heard of some projects to tie in NIS with Windows AD, but I've not seen much news recently. Wasn't it called gaynimead or something?

Radius resources...RFC 2865 and 2866.
www.open.com.au great perl based radius I've used before and it's great. Support TACACS and TAC+ to, for you cisco types.
www.funk.com is good, and livingston radius (now it's lucent) is decent also.

Re:NIS? (3, Informative)

lowar (258202) | more than 12 years ago | (#3296428)

NIS???
Maybe it will solve the single logon problem, but it's a nightmare from a security POV.

Type "ypcat passwd" on a NIS enabled box, you will see what I mean...

CU Micha

Shadowed password maps (2)

Cadre (11051) | more than 12 years ago | (#3296516)

linvilaw@dogbert-/~-16:21% ypcat passwd | grep helldraw
helldraw:x:20750:200:Lucifer Java Drawer:/home/mathcs/users/fall00/helldraw:/bin/tcs h
linvilaw@dogbert-/~-16:22%

It's not so bad with if you use shadowed password maps...

Smartcard systems? (3, Interesting)

jspaleta (136955) | more than 12 years ago | (#3296367)

Have you looked into using smartcard technology.
I realise it isn't very pratical adding smart card readers to every machine..but im just starting to look into smartcards on *nix and the msucle project seems to suggest that you can roll smartcard verification into your login procedure.
http://www.linuxnet.com/apps.html

I'm just psyched that i got my citbank serial port smartcard reader up and running under the pscsd smart card daemon. Now i can play around with this very idea.

-jef

Re:Smartcard systems? (1)

FreakOfTheWeek (415378) | more than 12 years ago | (#3296395)

Take a look at devices like this: http://www.rainbow.com/ikey/
No added readers needed if you have USB.

Also, these come with relatively inexpensive readers: http://www.ibutton.com/

Overall, I agree that if practical, smart card technology is probably the way to go.

Re:Smartcard systems? (3, Interesting)

jspaleta (136955) | more than 12 years ago | (#3296530)

I've looked at the keychain usb devices before...but i thought th at market was moving towards portable data storage with ~100MB type storage...and not something meant primarily for small file storage like password storage.

And are those usb devices supported on Solaris?

I think smartcard/usb-keychain decisions come down to price-feature ratio. If you want real portable storage for files and what not the usb devices are the way to go...if you just want to keep passwords or cyptokeys/sigs then smartcards might be cheaper to implement.

I'd also be concerned about support for the usb devices on the Unixes...
But i havent seriously looked into it...since I dont have a real need for this stuff personally.
My citibank smartcard reader was FREE. so getting it working under linux was a nice bonus.

-jef

Re:Smartcard systems? (0)

Anonymous Coward | more than 12 years ago | (#3296412)

It could be practical if the smartcart reader came with your motherboard [mwave.com] , like it does with the Soyo Dragon+. I have this motherboard, and it includes Windows software for smartcard reader access. You almost fooled me into believing MUSCLE was exactly what I was looking for to revive my six-month-unused SCR slot, but it's nothing to be excited about. For they only aim to benefit one specific Unix distribution, this was definitely done just so they could have a cute acronym.

Re:Smartcard systems? (3, Interesting)

jspaleta (136955) | more than 12 years ago | (#3296501)

the project name is about as relevant as the misnamed linuxprinting.org website

read muscle frontpage
http://www.linuxnet.com/

Linux is the targeted development platform....but the goal is have a framework portable across the unix based OSes: Linux, MacOS X and Solaris are all mentioned right up front....they even offer binaries for Solaris 8 on sparc for the base pscs software.

The license for the pcsc-lite package that they offer is a BSD variant i believe....perfect for a reference implementation across ALL the unix based OSes out there.

I think the windows world already has a large collection of cardreader software supplied by vendors...so taking care of the windows boxen would probably not need any software like this at all..since you probably get the cardreeader software for windows with the device.

-jef

Single Sign-On (3, Informative)

Reknamorken (526925) | more than 12 years ago | (#3296369)

I don't think it's 100% clear what the answer is yet. I've seen some attempts at this using LDAP, but it can become quite messy. For example, if you want to tie routers into it you'll need to integrate LDAP with Radius/TACACS.

Suprisingly, it seems that almost everything out there has Kerberos support these days. I'm going to start an experiment soon to see how well this works with Windows, but some of the websites seem to indicate that there is a reasonable amount of cross-functionality.

Does anyone else have actual experience implementing Kerberos in a mixed Unix/Windows environment?

Re:Single Sign-On (1, Informative)

Anonymous Coward | more than 12 years ago | (#3296453)

You're correct. Kerberos is the way to go here. LDAP is nice as a directory but storing passwords directly in LDAP is a bad idea and requires special software on the Windows boxes. Kerberos is directly supported and in general will interoperate well with either MIT or Heimdal KDCs. Plus not only do you get single password but you also get single-sign-on if you set it up right.

Samba (2, Informative)

dousette (562546) | more than 12 years ago | (#3296373)

Samba should be able to do it, from what I've heard, though I've never personally set it up before to do that.

Use Kerberos (0)

Anonymous Coward | more than 12 years ago | (#3296377)

Kerberos. Runs everywhere. Is secure if your Kerberos server is secure. Easy to install and run. Even comes with Win2000 Active Directory.

Samba? (1, Interesting)

dodald (195775) | more than 12 years ago | (#3296378)

The company I used to work for used Samba [samba.org] to conenct the Unix Network to the windows network. All it really does is allow the windows machines to authenticate against the unix network (which you probably already have in place.) With a few scripts you could create new accounts pretty easily (I think we even used LDAP to connect to a corporate interface of some kind)

If you have an existing *nix net Samba would probably be the way to go.

Other benifits include a centralized "Share" so all your machines could easily mount the same drives, and centralized printing (You don't need samba for this unless your network prints from the windows network) Check it out, the new versions also support encyrpted passwords...

Just my 2cents

Samba? (1)

Malc (1751) | more than 12 years ago | (#3296383)

Can this be managed from a Linux based Windows PDC?

<remove tongue from cheek>

Re:Samba? (1)

BenTheDewpendent (180527) | more than 12 years ago | (#3296524)

samba 3 will work with Active Directory. and to a point samba does work with PDCs as it can be a SDC. check it out at samba.org.

Low-tech solution (2)

pongo000 (97357) | more than 12 years ago | (#3296385)

Why not use one or two well-built passwords (mixed case, punctuation, etc.) and then modify it for each host you need access to...so if you have hosts moe, larry, and curly, then your passwords for each would look something like

moe.xy3,3IkshX476
larry.xy3,3IkshX476
curly.xy 3,3IkshX476

Some might argue this is inherently insecure...but I maintain if a password is sufficiently "secure" in terms of randomness, then this method would be no less secure than generating three other random passwords.

The drawback, of course, is that if one password is cracked, you've left yourself wide open...so start with a password you're convinced is secure!

Of course, the better way is some sort of authentication scheme using something like ssh and PKI, which is available on the platforms you mention. But now, you have to worry about securing your private key...to me, it's 6 of one half dozen of the other. Either secure your password or secure your key, because either one stands to be compromized.

Re:Low-tech solution (2)

JM_the_Great (70802) | more than 12 years ago | (#3296443)

I don't really see why you'd need to modify it for each host. Might as well just have one secure password if you're going to do this. So either having one password is inherently secure, or it's not, no need for a whole password scheme to make things complicated.

Re:Low-tech solution (1)

carm$y$ (532675) | more than 12 years ago | (#3296461)

if one password is cracked, you've left yourself wide open...so start with a password you're convinced is secure!

This is far from enough. If someone r00tz one of your boxes they can get your raw keystrokes when you logon to the [serial] console, for example. And no matter how strong your password, it takes them the time you type it to crack.

Reason why this isn't such a good idea... (1)

jacobb (93907) | more than 12 years ago | (#3296481)

is that it gives the MEDIUM far too much responsibility.
If one password is transmitted insecurely, they're all compromised. Even worse, if Skriptkiddie01 has access to, say, one email account belonging to you (perhaps through no fault of your own... say a hotmail bug... and there has been no shortage of those) then most of the time he can get one of your passwords (through those damn "I forgot my password - email it to me") and then extrapolate.
The only way to make this method any good is to "nickname"... instead of actual host names, nickname them something that looks random - say x512, y513 or whatever; then use that to attach. Of course this doesn't really pertain to the original question, which i think was authentication, but anyway. Go for Counterpane's Password Safe [counterpane.com] : endorsed by Bruce Schneier and soon-to-be opensourced! It uses Blowfish [counterpane.com] for encryption, and Yarrow [counterpane.com] for PNG. :)

RSA SecurID (5, Informative)

Gunfighter (1944) | more than 12 years ago | (#3296387)

I just attended a network security seminar at a small university in Virginia this past week. I manned the booth for my company, but between rush times I spent most of my time speaking with the people (sometimes competitors) from other booths. One of the engineers at another booth was kind enough to give me an RSA SecurID demo box with two key fobs and all the software I needed to set up a server.

Within an hour of arriving back at my hotel room, I had the software up and running (had to download the Win2K agent from the RSA website), and my login to my laptop was secured via SecurID. Once I arrived home last night, I set up the server on my home network, and now all of my workstations and server (Linux included!) are using RSA SecurID login.

You can run the server on NT/AIX/Solaris (probably more by now because I have an old kit), and there are agents out there for just about any operating system. In addition, you can have routers access the server as if it were a TACACS+ or RADIUS server.

Check the RSA website [rsasecurity.com] for more information. The part you'll care most about are the agents (client side of the equation), and I know for sure that there are agents available for Windows, Linux, and Solaris.

Good Luck!

Re:RSA SecurID (1)

13013dobbs (113910) | more than 12 years ago | (#3296416)

It is an awesome package. Plus the key fobs have a very high geek factor.

Re:RSA SecurID (1, Informative)

Anonymous Coward | more than 12 years ago | (#3296475)

We've used the SecureID fobs at my work place ofr secure remote access. While the system works well, and seems secure (based on the "know something (a password) and bring something (the fob)" principle, like ATM cards), you have to have the fob with you whenever you *might* need access to a secured system. So, if you leave home and forget to pack it... Or, if your fob dies (and I've seen about 60% of ours fail over the last 3 years)... Or if you break it (about 10% of our fobs)... If the fobs are available in a credit card form factor (thickness, too!), they'd be easier to keep on your person than the ones we have.

Re:RSA SecurID (1)

Myrcurial (26138) | more than 12 years ago | (#3296486)

This is absolutely the best suggestion. It's not cheap, but it is absolutely effective.

Do ensure that you've got at least two servers though. You might be surprised if you end up completely locked out.

NIS/YP..Take your pick. (5, Informative)

Bowie J. Poag (16898) | more than 12 years ago | (#3296389)



The thing your looking for is called NIS. A vastly oversimplifed explanation of NIS goes something like this: An NIS-capable host is a system where passwd and group information is kept, and subsequently "pushed" to other hosts. Users log into local machines, the local machines reference their latest NIS maps, and log you in based on that. Its not difficult to set up or maintain, no more difficult than handling localized passwords, at least. Look into it.

NIS is what Sun used to call YP, or Yellow Pages. Pick up a book on NIS administration, and knock yourself out.

I'm sorta surprised this ended up on Slashdot. You'de think that a predominantly Unix-reading crowd would have rejected this one flat out due to it being so obvious.

Re:NIS/YP..Take your pick. (2, Informative)

ghack (454608) | more than 12 years ago | (#3296465)

NIS works great - I would highly recommend it. I agree with the parent poster in that using NIS is the obvious thing to do - the most simplistic google search would reveal that.

http://www.linuxfocus.org/English/July2001/article 148.shtml [linuxfocus.org] is a good NIS howto.
http://www.isi.edu/~govindan/cs558/nis/ [isi.edu] is a good basic overview.

NIS is a solution that will work on linux, solaris, and windows 2000 - so it is perfect for your application.

Re:NIS/YP..Take your pick. (0)

Anonymous Coward | more than 12 years ago | (#3296488)

The thing your looking for is called NIS.

I really don't think so. It may have the features, but it's horribly insecure, and there are at least 3 different implementations that work together if you don't have more than a couple of hundreds users/groups/hosts.

So how do you... (2)

fm6 (162816) | more than 12 years ago | (#3296514)

Don't say "Yellow Pages." Trademark. Lawyers. Cease-and-desist. You know the drill.

I guess NIS is an obvious choice if you have a lot of Unix/Linux boxes -- especially servers. But what's the drill for enabling NIS network logins on Windows? Does it work if you have NT servers too?

NIS/YP..Secure? (1)

zenyu (248067) | more than 12 years ago | (#3296542)

My shop uses NIS and you can print out the passwords /etc/passwd style. This makes it easy for anyone to copy them and do an offline dictionary attack.

Maybe they just set things up improperly but this doesn't qualify as secure in my book.

Kerberos has some holes too, but it's prolly a little better.

LDAP (2)

mnordstr (472213) | more than 12 years ago | (#3296391)

For best support I'd say use LDAP. Everything seems to support it, Windows/*nix, Apache, PHP, Perl, etc., and I think it can be integrated into Active Directory for further customizability.

Re:LDAP (3, Informative)

bonius_rex (170357) | more than 12 years ago | (#3296444)

When you are mixing different vendor's LDAP implementations together, be real careful about who gets to keep the passwords. IIRC Active Directory stores passwords in a goofy format that nobody else can use, so you will need a product like "Microsoft Meta Directory Services" or Novell's "DirXML" to keep things in sync.

Linux and Solaris are pretty easy to accomodate with PAM.

Microsoft also makes a product called "Services for Unix" which will (among other things) make your Active Directory Domain controller act like an NIS server so you can setup Linux/Solaris boxen as slaves.

Just make sure NOTHING transmits password across the wire in clear text. If everything uses the same username/password, a simple packet sniff can conpromise the whole works!

PGP (3, Interesting)

eyeball (17206) | more than 12 years ago | (#3296397)

In the past I have very sucessfully used PGP for password management. I set up a shared fileserver (in our case it was an NT server, but it could easily be Samba or NFS), then create a text file with all the passwords in it, encrypted against everyone's public key. All users were then able to access these since since PGP was (and still is) available on multiple platforms.

Re:PGP (0)

Anonymous Coward | more than 12 years ago | (#3296487)

How can you encrypt against everyone's public key? What happens if a new user account is created?

Java Smartcards (0)

Anonymous Coward | more than 12 years ago | (#3296400)

Sun is pushing the use of Java Smartcards for this and similar problems. You can use the J2ME and card APIs for chips on plastic cards, rings, and such to log onto systems. (Before we hear the tired old refrain that "java is too slow", realize that the Java card uses Java as a language, but compiles down to an instruction that gets executed in a chip. That is, there's no VM; there's a physical chip that runs Java, and fast.)

This does not solve your problem of a central secure set of passwords, but it's an idea for local authentication that might reduce the number of stored key entries for administered systems.

Re:Java Smartcards (0)

Anonymous Coward | more than 12 years ago | (#3296439)

That is, there's no VM; there's a physical chip that runs Java, and fast

Not to mention a complete waste of money, as well as electrons and protons.

winbind (1, Informative)

Anonymous Coward | more than 12 years ago | (#3296401)

check out winbind from samba.

Lets unix users use a windows PDC for authentication.

Re:winbind (1)

AaronMB (136741) | more than 12 years ago | (#3296491)

> check out winbind from samba.

With microsoft's desire to squelch competing open source software, making your authentication scheme dependant on MS might leave you SOL if they decide to patent some part of authentication, and deny licenses to free software os's.

Re:winbind (0)

Anonymous Coward | more than 12 years ago | (#3296532)

With knowing that, everyone still says Microsoft is the best. Just install XP... What a bunch of Fucks that have no clue...

Can't anyone just get it in their head! MS is a bitch of a company.

LDAP? (0)

Anonymous Coward | more than 12 years ago | (#3296403)

Try LDAP it works great. I've done it with all the above mentioned platforms. Solaris ran the LDAP database, Iplanet directory server. It's not easy the first time. LDAP does have a bit of a learning curve to it especially if you try to customize anything. There's a good book out there for Solaris and LDAP. Sun Blueprints, Solaris and LDAP Naming Services, Deploying LDAP in the Enterprise. Their example uses Iplanet. It's expensive though. There's OpenLDAP as well and you can hook it into a Relational Database if you like MySQL, postgres, oracle etc etc. Iplanet can use a backend DB as well.

P-Synch (1)

lbmouse (473316) | more than 12 years ago | (#3296405)

This [psynch.com] works pretty good.

Use LDAP And Single Sign On (SSO) (0)

Anonymous Coward | more than 12 years ago | (#3296407)

I guess the only way to integrate all your passwords is using a Directory Server (LDAP). There are lots of tools available for Single Sign On (SSO) and we have sucessfull integrated Solaris / Windows / ERP systems using SSO.

Of course, our clients being paranod had multiple firewalls between every system.

It exists..... (2)

ruvreve (216004) | more than 12 years ago | (#3296408)

At Purdue University [purdue.edu] students use one password to access almost every online university resource. 90% of the computer labs use some sort of Windows variant. They use PC-R Dist to verify the user and keep the computers installed with a 'fresh' copy of Windows everytime a user logs on.

Most servers are all *nix based with the majority being sun servers. When a user changes their password anywhere, it gets distributed across the entire system.

I apologize for the lack of details but I don't know any of the specifics on whether or not it is a central password file or different servers all keep a current copy of the same file.

Re:It exists..... (0)

Anonymous Coward | more than 12 years ago | (#3296451)

It's called .... K E R B E R O S.

That's not what the user was asking for, but it's interesting to see what linux users do with free association on security topics.

Re:It exists..... (3, Informative)

cscx (541332) | more than 12 years ago | (#3296492)

I apologize for the lack of details but I don't know any of the specifics on whether or not it is a central password file or different servers all keep a current copy of the same file.

They use a program called actmaint, which I think is custom written. What happens is when you change your password using passwd at a unix prompt, it activates actmaint to go and propagate your password though all the Sun systems, all the Windows NT domains, all the Windows 2000 domains, and the custom NIS authentication (how do they authenticate the Macs to a Sun box, hmmm?) and other Unix systems across campus (like the engineering machines) that are linked to your password. This allows the regular Purdue network to be kept separately maintained from say, the engineering systems, but allows you to have a common password for conveinence. How does PC-RDist fit into this? It doesn't as far as I know; it is activated when a reboot is initiated to keep the hard drive data in a consistent fashion (i.e., all data you added is removed, all data you changed / deleted since login is replaced). Try the new WinXP stations to prove this; you have to login to a domain controller before it can auth you to a Sun box. _That_ may be using kerberos, but as fas as actmaint goes, it's not using kerberos tickets cause there are a significant number of Windows NT 4 machines out there (like the ones running student services...) that the passwords have to sync to, and kerberos didn't come out till Win2k.

But like I said, I think actmaint is an in-house custom written program, so your argument is moot :).

NIS and Samba can handle this (1, Informative)

Anonymous Coward | more than 12 years ago | (#3296409)

I realize it's not the latest thing, but I use NIS on the main server. All unix clients bind to the NIS domain. I also run Samba 2.2.3a as a PDC, and setup the password sync capability so when they change password from a Windows client it also changes the unix password.

At some point in the future we will migrate towards Kerbereos and LDAP I suppose, but I don't see the setup changing greatly. I still prefer using samba running on a unix box to act as the PDC and server. Works very well for basic authentication and file/print serving.

Use PAM with SMB to Authenticate (1)

DA-MAN (17442) | more than 12 years ago | (#3296420)

It's possible to configure PAM to use SMB to authenticate. RedHat even lets you configure that during install. But any UNIX that uses PAM should be able to do it. Only problem now is securing a password server running on NT/2K. Then again there is always Samba.

LDAP is certainly the answer. (1)

Rick_Clark (21676) | more than 12 years ago | (#3296424)

LDAP using NSS and PAM will work easily for most unices. It will work for windows too, however, You must store a seperate windows password. Windows requires a text equivalent md4 based password be used. The newer versions of Samba can serve as the domain controller and retreive the password from the ldap server. For linux and Solaris see http://www.openldap.org and http://www.padl.com/OSS/pam_ldap.html

Rick

pam_smb is the way (0)

Anonymous Coward | more than 12 years ago | (#3296436)

Very easy to install + configure, lets boxes like Solaris use NT passwords.

Doesn't centralise uid, gecos, groups and other account info, just the password. But ideal for some people's environments.

Free, bundled with Samba.

LDAP (1)

jsimon12 (207119) | more than 12 years ago | (#3296441)

I am sure you will hear tis over and over again, but personally I wonder where you have been for the last few years if you haven't heard. LDAP, nuf said

kerberos (2)

Xzzy (111297) | more than 12 years ago | (#3296445)

Can be a pain in the ass to implement, but once it's up and running pretty much any operating system in the world can use it.

Takes a little more legwork on windows I believe but it does work. And any unix system that can compile can use it too.

Functions pretty much transparently, once you rebuild the few binaries (which the kerberos distro does for you as well) it becomes a drop in replacement as far as the clients are concerned.

Kerberos + LDAP (1)

lowar (258202) | more than 12 years ago | (#3296459)

Kerberos with an LDAP backend.

It's the same thing AD uses and there are PAM modules for Linux and Solaris.

I can see it now... (1)

VistaBoy (570995) | more than 12 years ago | (#3296476)

You make a bunch of password-protected accounts, then you store all the passwords in a file. This file will be password protected as well. Slowly, you forget all the other passwords, and the only one you have left is the main one. Finally, you hit your head against an I-Beam on your way home and get amnesia.

There goes your career!

Re:I can see it now... (0)

Anonymous Coward | more than 12 years ago | (#3296496)

Then you wake up, look on the back of your right hand - and there's your password. You knew you wrote it down somewhere!

Novell eDirectory (4, Insightful)

c-town (571657) | more than 12 years ago | (#3296485)

Novell hasn't gotten much right except their directory services. By far, Novell NDS/E-Directory is the best you can get in the industry. If you just want password management, openldap [openldap.org] is good enough. However, if you want better user/group/server/services/application management, give eDirectory [novell.com] a shot. There's nothing else better to manage mid-enterprise corporations. It really does kick ass.

Re:Novell eDirectory (0)

Anonymous Coward | more than 12 years ago | (#3296508)

Do I have to change my Layer 3 protocol?

Re:Novell eDirectory (0)

Anonymous Coward | more than 12 years ago | (#3296534)

I must agree. Novell does this better than anybody. They also make the most efficient and fast NOS around. They just suck at marketing. But Microsoft hurt them badly during the 90's when M$ was breaking the Novell client with every patch they released.
eDirectory is probably a great solution. I am not as familiar as I once was. I guess I should get my CNE up to date.

Another "Ask Google" question? (1, Informative)

Anonymous Coward | more than 12 years ago | (#3296498)


"Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?" Jesus tap dancing Christ. How *do* you people get jobs?

Collective Technologies Does This (3, Informative)

ayden (126539) | more than 12 years ago | (#3296506)

I attended an event in November 2000 hosted by Collective Technologies [colltech.com] called Shared Authentication Solutions. Collective Technologies developed an in-house solution permitting single sign-on and application control. The tools used were:

1. Win2k password server running Active Directory (which is really LDAP, with a twist) and the M$ bastardized version of Kerberos. Collective Technologies extended the Win2k password file with Active Directory to contain the usual UNIX password fields and the ACLs for each application.

2. Solaris and RedHat Linux boxes running Kerberos, PAM, and LDAP.

3. NT and Win2k boxes running either NTLM or the newer Win2k Authentication client.

Once a user logged into any session on the Collective Network, they had instant, secure access to all the resources they were supposed to have, and no other.

The only downsides to this entire setup I could see were:

1. The authentication server ran on Win2k and not UNIX.

2. The weak link in this chain was the Win2k authentication server. Collective Technologies suggested that their implementation relied on physically securing this one box in a locked server room.

I was unable to find information on the Collective Technologies web site about this presentation. Please contact me if you would like more information and I'll try to dig up the documentation provided by Collective Technologies.

Welcome to the world of SSO (1)

Rhonabwy (90576) | more than 12 years ago | (#3296509)

What you're asking for is Single Sign On [google.com] - or a variation on the theme. Frankly, with Win2K and Active Directory, you've about got it all there. Linux+PAM+Kerb5 links in there beautifully, as does Solaris+Kerb5. The requirement then becomes to use Windows Active Directory as your Key Distribution Center, but if you lock the box down to some insane level, the risk is probably minimal.

I've used Linux Kerberos5 + Merit Radius as the KDC's in a previous job, as I prefered the security to Microsoft's relatively non-existant security.

As soon as you get the passwords all working from one point, you'll want account management... it goes to SSO from there.

Re:Welcome to the world of SSO (0)

Anonymous Coward | more than 12 years ago | (#3296554)

The problem here being, of course, the Microsoftized version of Kerberos...

Okay, okay, _one_ of the problems here being...

AC
Don't get MAD, get NDS

Our Noc (3, Informative)

BrookHarty (9119) | more than 12 years ago | (#3296510)

We currently use 3 headed Solaris Boxes, and for windows we use citrix. We use NIS and NFS to mount a shared binary directory. We have a program we run from a command prompt that will give us the username/password. You can only see the command from the shared directory, and its not shared with non-noc people. It reads a file thats encrypted and not readable by the user. You cant copy the encrypted password file to your local workstation.

We do regular updates to passwords on routers/servers/etc. So we just update the file. Our NOC doesnt have root on the servers, they log into with a program that controls the permissions, kinda like sudo with server based auth. I dont want to mention the name of the program on slashdot...

For our engineers, we use a program for windows called "WinSafe" that loads a shared .dat file (encrypted) on a windows share. The share is only available to the engineers. Like any program, if you use weak passwords, you can do a dictionary attack on it. Winsafe is freeware.

Basically, a client program that reads an encrypted password file on an authenticated non-shared resource over an encrypted channel.
-
I have left orders to be awakened at any time in case of national emergency, even if I'm in a cabinet meeting. - Ronald Reagan

"Ask Slashdot: I'm new to UNIX, can you help?" (-1)

Synopsis Troll (568358) | more than 12 years ago | (#3296519)

Synopsis: Just use NIS, moron.

Details: You can easily get NIS clients/servers for NT, too.

But, more importantly... what is this crap, UNIX for newbies? Did you even bother to RTFM or search Google before asking this on Slashdot? Oh, wait, I forget -- this is Slashdot, the anti-Microsoft site run by amateur wannabe-developers like Taco, who believe that pirating MP3s on a GNOME workstation constitutes "technical Linux work." Hell, I forgot that most of you are reading Slashdot on Windows -- or Red Hat, or Mandrake, same difference -- boxes while pretending to be "l337 h4X0rs."

Let me translate your question into Maldaish so that more of this site's readers can understand it: "wow d00d how do i get the p4ssw0rdz beetween b0Xors. i m l337 and use lunix lol windoze is lame m$ is a monopoly lolol@!@! plz help thx." Now I'll reply in kind: "hey u r a n00b wtf r u axing this stuff 4. may-b u shood go watch nekkid seX0r cart00ns w/malda and pretend 2 B k3wl. lol u r lame@!@!@!!! like teh taxo!!@!"

Samba TNG + LDAP (1)

greyguppy (413383) | more than 12 years ago | (#3296538)

Samba TNG is optimised as a PDC for your windows clients, and can run on a LDAP backend, as can PAM modules for Linux/Solaris.

Easiest solution (1)

TheMonkeyDepartment (413269) | more than 12 years ago | (#3296543)

use a big marker board in the middle of your office. Hire some migrant workers to keep it updated. We have implemented this here in the Monkey Department offices and boy, does it work.

This seems easy... (1)

rainmanjag (455094) | more than 12 years ago | (#3296557)

One word: Kerberos

One of the advantages of Kerberos is not having to have multiple passwords across multiple boxes/changing a password on one box affects the passwords on all other boxes.

Anyways, Krb5 is supported on almost all platforms, I think. Definitely the ones you listed.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>