]> pere.pagekite.me Git - homepage.git/blob - blog/data/2010-04-14-kerberos.txt
projects / homepage.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Generated.
[homepage.git] / blog / data / 2010-04-14-kerberos.txt
1 Title: Kerberos for Debian Edu/Squeeze?
2 Tags: english, nuug, debian edu
3 Date: 2010-04-14 17:20
4
5 <p><a href="http://www.nuug.no/aktiviteter/20100413-kerberos/">Yesterdays
6 NUUG presentation</a> about Kerberos was inspiring, and reminded me
7 about the need to start using Kerberos in Skolelinux. Setting up a
8 Kerberos server seem to be straight forward, and if we get this in
9 place a long time before the Squeeze version of Debian freezes, we
10 have a chance to migrate Skolelinux away from NFSv3 for the home
11 directories, and over to an architecture where the infrastructure do
12 not have to trust IP addresses and machines, and instead can trust
13 users and cryptographic keys instead.</p>
14
15 <p>A challenge will be integration and administration. Is there a
16 Kerberos implementation for Debian where one can control the
17 administration access in Kerberos using LDAP groups? With it, the
18 school administration will have to maintain access control using flat
19 files on the main server, which give a huge potential for errors.</p>
20
21 <p>A related question I would like to know is how well Kerberos and
22 pam-ccreds (offline password check) work together. Anyone know?</p>
23
24 <p>Next step will be to use Kerberos for access control in Lwat and
25 Nagios. I have no idea how much work that will be to implement. We
26 would also need to document how to integrate with Windows AD, as such
27 shared network will require two Kerberos realms that need to cooperate
28 to work properly.</p>
29
30 <p>I believe a good start would be to start using Kerberos on the
31 skolelinux.no machines, and this way get ourselves experience with
32 configuration and integration. A natural starting point would be
33 setting up ldap.skolelinux.no as the Kerberos server, and migrate the
34 rest of the machines from PAM via LDAP to PAM via Kerberos one at the
35 time.</p>
36
37 <p>If you would like to contribute to get this working in Skolelinux,
38 I recommend you to see the video recording from yesterdays NUUG
39 presentation, and start using Kerberos at home. The video show show
40 up in a few days.</p>
Nettsider og blogg.