Benedict Verheyen <[EMAIL PROTECTED]> writes: > Op zo 28-09-2003, om 00:45 schreef David Z Maze: > >> I think both Kerberos and RADIUS are "single sign-on" protocols: when >> you log on you get some sort of authentication token, which you can >> use to talk to other services without typing a password. > > This sounds like a much more integrated system and easier to maintain. I > cannot see a sysadmin juggle with all those user passwords for different > programs. Do production type servers use Kerberos or RADIUS more than > PAM?
MIT's Athena computing environment generally uses a patched /bin/login binary, I think, and generally doesn't do much with PAM, though some people have successfully used PAM to let people with Athena accounts log in on their private Debian machines. The one hard problem that I don't know of a good way to deal with is having a synchronized set of user accounts: when someone gets a new account, they need a password entry, a Kerberos principal, an AFS principal, a home directory, and possibly other things, and when their account goes away these things need to vanish. MIT has a special glue layer that does this, but it's not terribly pretty. A couple of years ago a group of people (MIT/SIPB/Debian folk, mostly) were working on prepackaged infrastructure to do this; look at http://www.boxedpenguin.com/. As far as I know, it's mostly fallen by the wayside at this point, but it might be useful to look at. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
