[tech] manbo, ldap, stuff
Matt Johnston
matt at ucc.asn.au
Tue Feb 20 16:02:13 WST 2007
On Tue, Feb 20, 2007 at 03:50:20PM +0900, James Andrewartha wrote:
> *snip stuff about LDAP*
> Alternatively, we could put dropbear on a different port and people who
> wanted public-key authentication could use that, or Matt could add LDAP
> auth directly to dropbear and we could turn off Sun's sshd ;-) See
> http://opensolaris.org/jive/thread.jspa?threadID=614&tstart=0 for details
> on the SSH problem.
I assume we'd need to use PAM?
PAM is awful for network apps that use a single event loop,
since the conversation function is expected to be a callback
that can write questions directly to the user (or similar).
Nothing implements the proposed asynch conversation function
extension. I'm not touching that.
> Ultimately it depends on what the goals for LDAP are - one password to
> rule them all, or just conversion to a more modern and secure
> authentication scheme. If it's the latter and people are ok with having
> the Windows/Unix password split, then none of the above hackery is
> necessary. Please respond with your thoughts on the matter.
Noone ever changes their passwords at UCC afaik, except when
we they're forgotten or wheel people run John and lock
accounts for shoddy passwords. Maybe just a secure.ucc webpage
for changing passwords would be simplest?
Maybe we should try integrate pw checking into the account
creation script too.
Personally I think pubkey auth is more useful than easily
changed passwords from everywhere.
Matt
More information about the tech
mailing list