Single point logon

lk lou.kamenov at aeye.net
Thu Aug 8 12:44:34 BST 2002


Hi there,
On Thu, Aug 08, 2002 at 12:16:56PM +0100, Ian Morrison wrote:
> hey,
> 
> (great meeting last night btw..)
> 
> I was wondering if anyone here has some kind of single point logon
> system working;  crazy phrase, but essentially some way of centrally
> managing access any of the machines on a network.  As I understand it,
> Nis/Yp offers this functionality, but i'd rather not run all that rpc
> cruft.
This is a good thread but however, can security exist in this environment, 
I mean if you`re going to do it on the WAN side? Otherwise i dont see a problem running NIS/YP in a dmz network with trusted users, however like most of the things this one has two sides bad/good.
Even on wan it`s not that hard, using a DMZ firewall which will accept only %these clients to connect to your DMZ NIS/YP controlled network, using a various ways, let say VPNs over a security layer like IPSec, and freebsd has a really good support about it.
Also for Windows clients running a MPPE encryption with the VPN using a PDC to control all of them and so on.. 
> 
> I've heard people do this in various ways; ssh keys propagated via LDAP
> or CFEngine are two that spring to mind, squid perhaps another..  Has

Yeah that`s true, LDAP is quite good for keeping user settings and other bulshit like paswords/usernames, also it has a really good read speed faster than most of the DBs, that`s why *maybe* ms impl this thing into most of their services let say like Exchange, keeping a thousands of users settings/personal information stored in it...

> anyone got anything like this working on FreeBSD?  In a heterogenous
> environment (mac/pc/unix)?  Would be great to find out what people think
> in any event..
A good firewall can help you a lot, not only a firewall.. 
Although, we know about all this rpc vuln, but IMHO a good plan/infrastructure can solve/fill  most of the problems/gaps. 

Yeah but a new software of this kind would bring a change.. 
I`m quite keen on starting a gpl product that will cover all this.. 

cheers,
-lk

--
br, Lou Kamenov
[ Network Infrastructure/Security Analyst ]
[ c/o AEYE Ltd, London, UK ] [AEYE R&D - http://www.aeye.net ]
[ AEYE Commercial - http://www.aeye-web.com ]
[ phone: +44 (0) 20 89469546 ] [ fax: +44 (0) 7092 129079 ] 
[ mobile: +44 (0) 7905 514036 ] [ AEYE is Artificial Intelligence ]

> 
> Stay Frosty,
> 
> 
> ian
> -- 
> :: darq.net /#/             :: to start press any key | where's the
> 
> ------ FreeBSD UK Users' Group  -  Mailing List ------
> http://listserver.uk.freebsd.org/mailman/listinfo/freebsd-users




More information about the Ukfreebsd mailing list