FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 05-12-2008, 04:21 PM
"Wojciech Ziniewicz"
 
Default best way to remotely manage user credentials

Hello
I would like to hear some word in my problem.
I have X servers with pam authentication and ssh daemon.
People use ftp servers and run their applications but there should be
one central server that will manage passwords and users.

I would like to use something like

/usr/bin/changepassword <server_address> <user> <newpassword>

there's no problem writing such thing with bash and ssh keys but maybe
someone knows better solution ?

regards
WZ

--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!}


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 12:04 AM
Diego Lacerda
 
Default best way to remotely manage user credentials

Hi, WZ,

I think that the best way to do this is integrating your systems with a
LDAP directory, or something similar.

Regards,
--
Diego Evaristo de Lacerda (diegolacerda@gmail.com)
Project Analyst
LPIC Level III & Redhat Certified Engineer & Cisco Certified Network
Associates

URL: conectado.motime.com

On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:
> Hello
> I would like to hear some word in my problem.
> I have X servers with pam authentication and ssh daemon.
> People use ftp servers and run their applications but there should be
> one central server that will manage passwords and users.
>
> I would like to use something like
>
> /usr/bin/changepassword <server_address> <user> <newpassword>
>
> there's no problem writing such thing with bash and ssh keys but maybe
> someone knows better solution ?
>
> regards
> WZ
>
> --
> Wojciech Ziniewicz
> Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
> ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
> ct;umount;makeclean; zip;split;done;exit:xargs!!}
 
Old 05-13-2008, 07:38 AM
Matus UHLAR - fantomas
 
Default best way to remotely manage user credentials

On 12.05.08 18:21, Wojciech Ziniewicz wrote:
> I would like to hear some word in my problem.
> I have X servers with pam authentication and ssh daemon.
> People use ftp servers and run their applications but there should be
> one central server that will manage passwords and users.
>
> I would like to use something like
>
> /usr/bin/changepassword <server_address> <user> <newpassword>

just note that when someone does 'ps' on machine you when execute this
script, (s)he can see arguments, therefore the password. Yes, grsecurity
patch can prevent ordinary people from seeing the password, but this is
usually not taken as secure...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 10:39 AM
"Wojciech Ziniewicz"
 
Default best way to remotely manage user credentials

2008/5/13 Matus UHLAR - fantomas <uhlar@fantomas.sk>:

> just note that when someone does 'ps' on machine you when execute this
> script, (s)he can see arguments, therefore the password. Yes, grsecurity
> patch can prevent ordinary people from seeing the password, but this is
> usually not taken as secure...

sure, it would be not secure if the "managing" server was a multiuser system.
there's only www server without ftp,ssh etc .

i hear "ldap" all the time but dont think that ldap will be the remedy.

more or less -thanks for feedback


regards
wojtek ziniewicz

--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!}


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 11:10 AM
Thomas Goirand
 
Default best way to remotely manage user credentials

Wojciech Ziniewicz wrote:
> Hello
> I would like to hear some word in my problem.
> I have X servers with pam authentication and ssh daemon.
> People use ftp servers and run their applications but there should be
> one central server that will manage passwords and users.
>
> I would like to use something like
>
> /usr/bin/changepassword <server_address> <user> <newpassword>
>
> there's no problem writing such thing with bash and ssh keys but maybe
> someone knows better solution ?

There's more easy way than writing it with a bash script. Use NSSMySQL
and write a small php/python/ruby/perl/whatever-you-like web application
for your users to change the password stored in MySQL. The other
advantage is that it's going to be damned easy to reuse this with
network, and to do backups. You can encrypt the MySQL connection if you
wish to prevent sniffing.

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 12:51 PM
"Wojciech Ziniewicz"
 
Default best way to remotely manage user credentials

2008/5/13 Thomas Goirand <thomas@goirand.fr>:
> There's more easy way than writing it with a bash script. Use NSSMySQL
> and write a small php/python/ruby/perl/whatever-you-like web application
> for your users to change the password stored in MySQL. The other
> advantage is that it's going to be damned easy to reuse this with
> network, and to do backups. You can encrypt the MySQL connection if you
> wish to prevent sniffing.

I tried nss-mysql with no success.

i have to store and use information that is exactly the same as normal
ordinary pam . what did not work with nss-mysql was su and passwd
(users HAVE to use passwd on those systems )

probably i will write something like master server with mysql database
that will be bash-style replicated on other servers.


regards
--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!}


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 01:06 PM
Marcin Sochacki
 
Default best way to remotely manage user credentials

On Tue, May 13, 2008 at 02:51:54PM +0200, Wojciech Ziniewicz wrote:
> 2008/5/13 Thomas Goirand <thomas@goirand.fr>:
> > There's more easy way than writing it with a bash script. Use NSSMySQL
> > and write a small php/python/ruby/perl/whatever-you-like web application
> > for your users to change the password stored in MySQL. The other
> > advantage is that it's going to be damned easy to reuse this with
> > network, and to do backups. You can encrypt the MySQL connection if you
> > wish to prevent sniffing.
>
> I tried nss-mysql with no success.
>
> i have to store and use information that is exactly the same as normal
> ordinary pam . what did not work with nss-mysql was su and passwd
> (users HAVE to use passwd on those systems )
>
> probably i will write something like master server with mysql database
> that will be bash-style replicated on other servers.

Because NSS is only used for lookup (read-only) queries.

For things like password management you need to install pam-mysql in
addition to nss-mysql and point its configuration to the same database
as NSS. I did it some time ago and it worked fine.

I had some issues with nscd instability though -- it crashed quite often
in this setup and I had to put a monitoring for that. I installed nscd
to decrease the load on the database.

Marcin
--
+---------------------------------------+
| -o) http://wanted.eu.org/
| / Message void if penguin violated
+ _\_V Don't mess with the penguin


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-13-2008, 01:34 PM
"Joel Merrick"
 
Default best way to remotely manage user credentials

http://www.debian-administration.org/articles/585


On Tue, May 13, 2008 at 1:04 AM, Diego Lacerda <diegolacerda@gmail.com> wrote:

Hi, WZ,



I think that the best way to do this is integrating your systems with a

LDAP directory, or something similar.



Regards,

--

Diego Evaristo de Lacerda (diegolacerda@gmail.com)

Project Analyst

LPIC Level III & Redhat Certified Engineer & Cisco Certified Network

Associates



URL: conectado.motime.com



On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:

> Hello

> I would like to hear some word in my problem.

> I have X servers with pam authentication and *ssh daemon.

> People use ftp servers and run their applications but there should be

> one central server that will manage passwords and users.

>

> I would like to use something like

>

> /usr/bin/changepassword <server_address> <user> <newpassword>

>

> there's no problem writing such thing with bash and ssh keys but maybe

> someone knows better solution ?

>

> regards

> WZ

>

> --

> Wojciech Ziniewicz

> Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l

> ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje

> ct;umount;makeclean; zip;split;done;exit:xargs!!}







--
echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
 
Old 05-13-2008, 01:35 PM
"Joel Merrick"
 
Default best way to remotely manage user credentials

Alternatively use Kerberos.. http://www.debian-administration.org/articles/570

On Tue, May 13, 2008 at 2:34 PM, Joel Merrick <joel.merrick@gmail.com> wrote:

http://www.debian-administration.org/articles/585



On Tue, May 13, 2008 at 1:04 AM, Diego Lacerda <diegolacerda@gmail.com> wrote:

Hi, WZ,



I think that the best way to do this is integrating your systems with a

LDAP directory, or something similar.



Regards,

--

Diego Evaristo de Lacerda (diegolacerda@gmail.com)

Project Analyst

LPIC Level III & Redhat Certified Engineer & Cisco Certified Network

Associates



URL: conectado.motime.com



On Mon, 2008-05-12 at 18:21 +0200, Wojciech Ziniewicz wrote:

> Hello

> I would like to hear some word in my problem.

> I have X servers with pam authentication and *ssh daemon.

> People use ftp servers and run their applications but there should be

> one central server that will manage passwords and users.

>

> I would like to use something like

>

> /usr/bin/changepassword <server_address> <user> <newpassword>

>

> there's no problem writing such thing with bash and ssh keys but maybe

> someone knows better solution ?

>

> regards

> WZ

>

> --

> Wojciech Ziniewicz

> Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l

> ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje

> ct;umount;makeclean; zip;split;done;exit:xargs!!}







--
echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'


--
echo "kpfmAkpfmnfssjdl/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
 
Old 05-13-2008, 01:40 PM
Adam McGreggor
 
Default best way to remotely manage user credentials

On Tue, May 13, 2008 at 02:51:54PM +0200, Wojciech Ziniewicz wrote:
> 2008/5/13 Thomas Goirand <thomas@goirand.fr>:
> > There's more easy way than writing it with a bash script. Use NSSMySQL
> > and write a small php/python/ruby/perl/whatever-you-like web application
> > for your users to change the password stored in MySQL. The other
> > advantage is that it's going to be damned easy to reuse this with
> > network, and to do backups. You can encrypt the MySQL connection if you
> > wish to prevent sniffing.
>
> I tried nss-mysql with no success.
>
> i have to store and use information that is exactly the same as normal
> ordinary pam . what did not work with nss-mysql was su and passwd
> (users HAVE to use passwd on those systems )
>
> probably i will write something like master server with mysql database
> that will be bash-style replicated on other servers.

Is https://secure.mysociety.org/cvstrac/rlog?f=mysociety/bin/usersync
any use?


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 02:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org