> On 4 Jan 2015, at 5:32 pm, Brian Empson <br...@teamhandbanana.com> wrote: > > This sounds interesting. What would you replace krb5 with, if you don't mind > me asking? I was contemplating krb5, but the setup and such is a pain for me > (because I am not familiar with it). I'll probably wind up rolling something > custom with LDAP and YP mappings thrown in.
i dunno. ideally i would just do basic auth over https against something that just returns 200 or 403. bsdauth on openbsd means i could probably implement that with a crappy script. linux probably has a crazy pam module i could use to do auth with http, but the solarish things i run almost certainly dont. however, linux and solaris still support krb5 auth out of the box, so its only a problem i really have to solve on openbsd. or use ldap auth. > > On 1/4/2015 2:26 AM, David Gwynne wrote: >>> On 2 Jan 2015, at 9:52 pm, Brian Empson <br...@teamhandbanana.com> wrote: >>> >>> I'm looking into a way to sync up group and user information across a >>> network of OpenBSD machines. I like YP, except that I don't need the >>> password hashes transferred across the network. I like that it's built >>> right into the base install, are there better ways to handle synchronizing >>> login details across multiple machines that is built into the base install? >>> Preferably written by the OpenBSD team, too? >> while not directly answering your question, i can say openbsd can do this >> kind of stuff without yp on the wire. >> >> at work i use ypldap to get user/group information from active directory. we >> populate the rfc2307 attributes on our users and groups to make them useful >> on unix systems. we use the single directory as a name service backend for >> openbsd, solaris, linux, and windows (of course). >> >> we're still using krb5 for password authentication. i really have to fix >> that. >> >> we've also augmented the AD schema to store users ssh keys in the directory >> too. sshd gets access to them via AuthorizedKeysCommand and a perl script. >> this allows ssh key based single sign on across all our unixish systems, >> even if their home directories are not available on the system. this is >> useful for providing services over ssh. an example of such a service we >> provide is svn and git on a dedicated server. all our users are on the >> system via ypldap, and they can auth using their own username and either a >> password or ssh key. >> >> dlg
