[NTLUG:Discuss] Kerberos and Linux

[Chris Cox]

Leroy Tennison wrote:
> Before I do a lot of research for nothing, can kerberos not only be an
> authentication system for Linux but also provide local uid/gid's for the
> system?  What I'm looking for is something like what LDAP can do where
> the local system doesn't have to have a user ID in order for someone to
> log in.  I'm trying to get to a more centralized approach to user/group
> management like the PC NOSes have.  Thanks for your input.  Other secure
> alternatives would be worth hearing about as well.

Secure?  Who can say?

But you'll need something like NIS, LDAP or even Samba (or Samba
combo'd with a Windows Domain Controller) to provide the usernames, etc.

Unless someone else knows differently.

Where I work we have to use NIS (lowest common denominator).
I have built systems... and was planning to demo at the Fair,
that uses a centralized account system for the whole network,
Unix/Linux/Windows.

NIS is called insecure... but truthfully, distributed
network namespaces are "insecure" by definition.  You don't
have to use the password part in NIS... I've used the
local domain controller for that... or you could use
Kerberos... or you could force key'd ssh only.

If you're already comitted to Kerberos, you can use that...

One of the things I like about NIS is its simplicity and
it's ubiquitous nature in the Unix world.  However, it
only scales to about 5,000 or so users (without some
"smart" partitioning).  For larger than that, I'd use some
form of LDAP.

My personal opinion of LDAP is that it has its own
share of headaches, especially in a heterogenous
environment.  And LDAP wasn't designed to be secure.