Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Password management / centralized password management
Special Forums UNIX and Linux Applications Password management / centralized password management Post 302542936 by Peasant on Friday 29th of July 2011 04:20:18 AM
Old 07-29-2011
You can also use kerberos server with pam_krb

Be careful tho, kerberos is somewhat complicated to setup and requires clients and server to be in time sync.
But should be the most secure way.

Regards
Peasant
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

centralized unix user management

Does it exist centralized tools on unix for managing users of all servers (like windows AD) ? (1 Reply)
Discussion started by: astjen
1 Replies

2. Shell Programming and Scripting

how to change root password using shell script with standard password

Hi Friends. I am new to scripting now i want to change the root password using the script with standard password. which is the easy scripting to learn for the beginner, Thanks in advance. (2 Replies)
Discussion started by: kurva
2 Replies

3. Solaris

SSH Password-less login fails on password expiry.

Hi Gurus I have a few Sol 5.9 servers and i have enabled password less authentication between them for my user ID. Often i have found that when my password has expired,the login fails. Resetting my password reenables the keys. Do i need to do something to avoid this scenario or is this... (2 Replies)
Discussion started by: Renjesh
2 Replies

4. UNIX for Advanced & Expert Users

Multi-platform Centralized Patch Management

We have a mix of AIX, HP-UX, Linux (RHEL and SLES), and Solaris in our environment. Currently we have seperate patch management systems for each platform (NIM, SD, Spacewalk, etc), but have started looking for a centralized patch management solution that would work for most, if not all, of our... (0 Replies)
Discussion started by: kknigga
0 Replies

5. UNIX for Dummies Questions & Answers

password protect a CSV file: better solution than ZIP password?

Hi We send *.csv with sensitive data to our customers. Our customers open those files with Excel. A new requirement is that we password protect those CSV files. I thought to pack them with ZIP and assign a password to the archive. But Solaris 10 can't encrypt ZIP files. $ zip -P... (12 Replies)
Discussion started by: slashdotweenie
12 Replies

6. UNIX for Advanced & Expert Users

Password management

You know those lists of "the most common passwords"? I was looking at one of those because I actually want to use a really common password or two on occasion. The thing is I'm skeptical that these are legitimate lists. Most things these days require at least 8 chars with a numeral. But these lists... (1 Reply)
Discussion started by: jutnobs
1 Replies

7. What is on Your Mind?

Individual Risk Management (Personal IT Security) and Browser Cache Management

Original post from this thread on browser caching. To add to this, it is an effective security measure to clear absolutely all cached data (cookies, web content, ....) when closing the browser - i.e. in case of a shutdown. It takes a bit of work to re-login to all the sites but websites will not... (7 Replies)
Discussion started by: bakunin
7 Replies

8. Forum Support Area for Unregistered Users & Account Problems

Password sent via reset password email is 'weak' and won't allow me to change my password

I was unable to login and so used the "Forgotten Password' process. I was sent a NEWLY-PROVIDED password and a link through which my password could be changed. The NEWLY-PROVIDED password allowed me to login. Following the provided link I attempted to update my password to one of my own... (1 Reply)
Discussion started by: Rich Marton
1 Replies

LEARN ABOUT MOJAVE

pam_krb5

PAM_KRB5(8)						    BSD System Manager's Manual 					       PAM_KRB5(8)

NAME

     pam_krb5 -- Kerberos 5 PAM module

SYNOPSIS

     [service-name] function-class control-flag pam_krb5 [options]

DESCRIPTION

     The Kerberos 5 PAM module supports the authentication, account management and password management function classes.  In terms of the
     function-class parameter, these are ``auth'' , ``account'' and ``password'' respectively.

   Kerberos 5 Authentication Module
     The Kerberos 5 authentication component provides functions to verify the identity of a user (pam_sm_authenticate()) and to set user specific
     credentials (pam_sm_setcred()).  pam_sm_authenticate() converts the supplied username into a Kerberos principal, by appending the default
     local realm name.	It also supports usernames with explicit realm names.  If a realm name is supplied, then upon a successful return, it
     changes the username by mapping the principal name into a local username (calling krb5_aname_to_localname()).  This typically just means the
     realm name is stripped.

     It prompts the user for a password and obtains a new Kerberos TGT for the principal.  The TGT is verified by obtaining a service ticket for
     the local host.

     When prompting for the current password, the authentication module will use the prompt ``Password for <principal>:''.

     The pam_sm_setcred() function stores the newly acquired credentials in a credentials cache, and sets the environment variable KRB5CCNAME
     appropriately.  The credentials cache should be destroyed by the user at logout with kdestroy(1).

     The following options may be passed to this authentication module:

     debug		openpam_log(3) debugging information at PAM_LOG_DEBUG level.

     use_first_pass	If the authentication module is not the first in the stack, and a previous module obtained the user's password, that pass-
			word is used to authenticate the user.	If this fails, the authentication module returns failure without prompting the
			user for a password.  This option has no effect if the authentication module is the first in the stack, or if no previous
			modules obtained the user's password.

     try_first_pass	This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is
			prompted for another password.

     forwardable	Obtain forwardable Kerberos credentials for the user.

     no_ccache		Do not save the obtained credentials in a credentials cache.  This is a useful option if the authentication module is used
			for services such as ftp or pop, where the user would not be able to destroy them.  [This is not a recommendation to use
			the module for those services.]

     ccache=name	Use name as the credentials cache.  name must be in the form type:residual.  The special tokens '%u', to designate the
			decimal UID of the user; and '%p', to designate the current process ID; can be used in name.

     default_principal	Construct the principal from the authenticating user's username, rather than obtaining it from the AuthenticationAuthority
			of the	user's OpenDirectory record.

     use_kcminit	Don't verify password, instead store the password in kcm and return success in the pam chain.  So when used in this mode,
			the pam_krb5 module needs to be configured to be 'optional' and some other module 'required'.

   Kerberos 5 Account Management Module
     The Kerberos 5 account management component provides a function to perform account management, pam_sm_acct_mgmt().  The function verifies
     that the authenticated principal is allowed to login to the local user account by calling krb5_kuserok() (which checks the user's .k5login
     file).

   Kerberos 5 Password Management Module
     The Kerberos 5 password management component provides a function to change passwords (pam_sm_chauthtok()).  The username supplied (the user
     running the passwd(1) command, or the username given as an argument) is mapped into a Kerberos principal name, using the same technique as in
     the authentication module.  Note that if a realm name was explicitly supplied during authentication, but not during a password change, the
     mapping done by the password management module may not result in the same principal as was used for authentication.

     Unlike when changing a UNIX password, the password management module will allow any user to change any principal's password (if the user
     knows the principal's old password, of course).  Also unlike UNIX, root is always prompted for the principal's old password.

     The password management module uses the same heuristics as kpasswd(1) to determine how to contact the Kerberos password server.

     The following options may be passed to this password management module:

     debug	     syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass  If the password management module is not the first in the stack, and a previous module obtained the user's old password, that
		     password is used to authenticate the user.  If this fails, the password management module returns failure without prompting
		     the user for the old password.  If successful, the new password entered to the previous module is also used as the new Ker-
		     beros password.  If the new password fails, the password management module returns failure without prompting the user for a
		     new password.

     try_first_pass  This option is similar to the use_first_pass option, except that if the previously obtained old or new passwords fail, the
		     user is prompted for them.

ENVIRONMENT

     KRB5CCNAME  Location of the credentials cache.

FILES

     /tmp/krb5cc_uid  default credentials cache (uid is the decimal UID of the user).
     $HOME/.k5login   file containing Kerberos principals that are allowed access.

SEE ALSO

     kdestroy(1), passwd(1), syslog(3), pam.conf(5), DirectoryService(8), pam(8)

NOTES

     Applications should not call pam_authenticate() more than once between calls to pam_start() and pam_end() when using the Kerberos 5 PAM mod-
     ule.

BSD
								 January 15, 1999							       BSD
All times are GMT -4. The time now is 11:38 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy