unified authentication
Jesse Guardiani
jesse at wingnet.net
Wed Sep 24 08:31:03 PDT 2003
Howdy list,
Sorry if this is a frequently discussed topic,
or an off-topic question, but I couldn't find much
info about my question by performing quick searches
in the archives, and my question is pretty tightly
related to security...
Background:
===========
I have a number of FreeBSD machines. Most are 4.x,
but a few are 5.x (mainly the testing/devel machines).
I also have a single Red Hat Linux machine (mostly
a former employee's play toy), a legacy BSDi 4.1
machine, and a single Windows 2000 Server.
And, of coarse, I have a number of Cisco routers of
all shapes, sizes, and capacities.
I have recently been plagued by the security audit
woes, as employees have left the company and new
employees have come in. The former Sys Admin didn't
keep a list of places where passwords are stored,
and the company really has very little in the way
of a security policy, so I'm having to audit and
document as I go.
The motivation behind this email is simply that I am
seeking to end my security woes. I'd like to be able
to quickly (10-30 minutes) setup and remove employees
from the various servers/routers and have the knowledge
that I haven't missed anything.
I've been thinking about it, and it seems like it
would be beneficial to define "security clearances"
and possibly different passwords for each employee
at each security clearance level. That way, if one
password was somehow sniffed or stolen, the security
breach might stand a better chance of being contained.
Software:
=========
Here is a quick summary of the software we use:
Mail Server:
------------
qmail-1.03
MySQL (for vpopmail authentication)
vpopmail
qmailadmin
sqwebmail
Apache 1.3.28 (PHP4, mod_perl)
Web Server:
-----------
Apache 1.3.28 (PHP4, mod_perl)
MySQL
The mail server already has a robust, tightly integrated,
and very fast authentication system with vpopmail + MySQL.
And we are currently working on integrating this
authentication system into our billing system.
These facts lead me to believe that I would like
our mail server's auth system to be totally separate
from the "corporate" auth system. If we want an
employee to have an email account, we will either
set up an internal mail server, add the employee
to the billing system with a free rate code, or develop
some sort of automation system that takes the corporate
auth database and merges it with the billing system.
The web server, on the other hand, is a different
matter altogether. I would like to see some meshing
of the "corporate" auth system and the web server.
This way, I could define a certain website or web
page to be within a certain security clearance for
read access and/or write access, and the employee would
automatically have the appropriate access based on
security clearance.
Questions:
==========
Anyway, I'm seeking more of a discussion than a single
definitive answer at this point. I'm ashamed to admit
it, but I'm really not aware of what my options are,
or what the strengths and weeknesses of each option
might be.
Listed below are the buzz words I've heard which I
think might be possible options:
1.) Kerberos
2.) PAM (Seems to be more of a library than a complete
solution.)
3.) LDAP
4.) RADIUS
5.) NIS/NIS+
We already use RADIUS to authenticate our dialup
pool, and I wouldn't mind using it to authenticate
employees, but I'm not sure if I can use RADIUS to
authenticate FreeBSD system logins and such. The rest
of the above items are relatively foreign to me.
At first, I thought Kerberos sounded like the best
solution, but the more I read about it, the more I
start to think it may be an aging solution and that
I might be better served to go with something else.
Then again, I think I've seen kerberos authentication
options in my Cisco routers... so maybe it's a good
choice after all...
In conclusion, I'd love to hear how other people have
defined and implemented their organization's security
model. Any personal stories, website links, or advice
would be welcome.
Thanks!
--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)
http://www.wingnet.net
More information about the freebsd-security
mailing list