Enterprise-Level Authentication for Linux?

Jon Hill asks: "Authentication is an integral function of any network but the problem of unified authentication on large distributed systems becomes daunting when you look for Linux based solutions. I am the MIS Director for a technical R&D company with 10 locations in several states and have pushed Linux at the server level successfully for several years. As the system has grown the need for a unified authentication scheme has become a necessity. I have looked over NIS, NIS+, LDAP, Kerberos, and others but haven't found anything that will unify even our servers (ie. file/email/FTP). All sites are linked via a static VPN so there is good secure communication available. What suggestions do readers have to solve what I'd have thought was a common problem? Any case studies, product links, code, and other examples will be appreciated." Any Slashdotters who run enterprise-level installations care to comment on how well Linux's authentication works? In your mind, what does Linux need to do to improve it's profile in this regard? Could PAM at least provide a partial answer to this question, considering that it would provide a way for any authentication scheme to link into the system as a whole, without having to force hard-to-maintain code changes in the user-land applications.

where are the secrets

[Dr.+Tom]

You don't want to duplicate secrets. If possible, you don't want to transmit them all over the place either, though that's not so bad if done correctly. One way is to use a public key system, so that the secrets are stored on the client machines. Every server knows all the public keys, because they can be stored centrally on a keyserver or duplicated around the network; republishing them if they change is no big deal 'cause they're public. You could do this with OpenSSH.

If you perhaps do not trust the client machines, though, which you might not if they are Windows boxes, you would not want to use just public key crypto. You would also want to use a passphrase based system, and then you are back to having to have secrets on the servers, which need to be very carefully republished when they change. And you might not trust some of the servers. OpenSSH (and especially OpenSSH with the SRP patch) can do this, and it'll authenticate both the client *and* the server, so that both parties know they are connected with the entity they think they are connected to.

You might also want to look at SFS (a secure distributed filesystem based on NFS but with SRP authentication). Note that there are several projects all called SFS -- I'm thinking of the self-certifiying one. Then you can have central administration of server-side secrets. Probably some of the other projects called SFS would be good too, but I'm less familiar with them.

Re:???

[csw]

> Um, MIT invented krb, it can't suck ;)

Two words: Athena widgets.

Enterprise-Level authentication?

[cyberkreiger]

"Computer, identify Riker, William T. Access Code Theta Alpha 2 737 Blue."