Find the answer to your Linux question:
Results 1 to 10 of 10
I have a need to centralize my Linux server account management. I have authenticated to windows domains before but now I come back to thinking about rolling this out across ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie humbletech99's Avatar
    Join Date
    Nov 2005
    Posts
    225

    Centralized Account Managment, how do you do yours?


    I have a need to centralize my Linux server account management.

    I have authenticated to windows domains before but now I come back to thinking about rolling this out across all my servers I find myself questioning if authenticating to Active Directory is really the right thing to do for all my systems.

    If I have web/mail/dns/database etc servers sitting in a DMZ, then either I have to allow access inwards towards a Domain Controller, or put a Domain Controller in the DMZ and put it at risk, as well as allowing a possible compromise of the entire organization's user account base, this just doesn't seem sensible from the point of view of security, for which we take quite seriously here at work.

    So should I maintain a separate centralized authentication system just for these Linux servers in the DMZ?


    What do you use for centralized Linux account management? And what do you do about your DMZ systems?
    The Human Equation:

    value(geeks) > value(mundanes)

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    you could setup ldap on one of your nix servers and create another domain dmz.your.domain.com or use a firewall (iptables, isa) and tunnel the authentication traffic to a dmz. that way your dc isn't really in the dmz, and with a firewall you can limit who can access it.

  3. #3
    Linux Newbie humbletech99's Avatar
    Join Date
    Nov 2005
    Posts
    225
    Quote Originally Posted by jledhead View Post
    you could setup ldap on one of your nix servers and create another domain dmz.your.domain.com
    Using openldap is one possibility I guess...
    use a firewall (iptables, isa) and tunnel the authentication traffic to a dmz. that way your dc isn't really in the dmz, and with a firewall you can limit who can access it.
    Wouldn't this completely break the idea of a DMZ and open an attack surface?
    The Human Equation:

    value(geeks) > value(mundanes)

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Here is my take on this.

    You should not allow management of your systems in the DMZ to happen from anywhere except your Network. Anyone who requires access to these system, in any admin capacity, should first have to VPN into your network and authenticate before they are allowed to gain access to the DMZ.

    While you could setup the firewall to block ip addresses after x trys, time is on the hackers side. He could back his attack off to days, weeks or months then your firewall rule is usless unless you set the setting so high. Then at this point you risk snagging real connection that happen to fat finger their passwords while logging in.

    Using a VPN and a key authentication to gain access is a better way. Then on the first failed connection you could block that ip address.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Linux Newbie humbletech99's Avatar
    Join Date
    Nov 2005
    Posts
    225
    I think you completely missed the point.

    I want central account management on linux for myself, my boss and a couple of admins and a handful of developers. From my network.

    So, this way when someone joins/leaves I only need to make one change.

    However, I want this also for my DMZ systems, but I don't want it to allow for enumeration of the internal network's central account management in the event that any DMZ system is every compromised.
    The Human Equation:

    value(geeks) > value(mundanes)

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Don't understand how I missed the point? I think you are not understanding what I am saying, so I'll try this again.

    The DMZ should not allow ADMIN ACCESS for any reason, unless it cannot be avoided, from the internet. In this case you should only use ssh with keys and not passwords.

    Now you have a system that does all your authentications on you internal network. Anyone who requires access to the DMZ must access the DMZ through this system, and this system only, which you can setup your authentication.

    If you want to allow people to access your DMZ directly through the internet then your best bet is to set everyone up with SSH and use key authentication. When they leave all you need to do is remove their key from the setup and they can no longer access the system.

    The DMZ should never be allowed to start any connection anywhere unless needed to and then only under tight control. This way if it does get broke into the hacker has no where to go. The firewall logs should be setup to log any connection trying to leave the DMZ so that you are aware of the possibility of a break-in and can investigate.

    If this is for people that do not have access to your network then the SSH with logging would be the way to go.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Linux Newbie humbletech99's Avatar
    Join Date
    Nov 2005
    Posts
    225
    Quote Originally Posted by Lazydog View Post
    The DMZ should not allow ADMIN ACCESS for any reason, unless it cannot be avoided, from the internet. In this case you should only use ssh with keys and not passwords.
    No admin access is allowed from the internet, obviously.

    You're talking about just using the authentication that currently exists for internal use. If the DMZ is ever penetrated, then this internal authentication mechanism is also open to attack since the DMZ systems must be able to connect to it to authenticate.

    That is a broken design.

    Which is why I am asking if people out there are maintaining separate authentication realms and if so what they are using.
    The Human Equation:

    value(geeks) > value(mundanes)

  8. #8
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    we don't have central accounts in the dmz. if its all nix though you could use webmin to sync all the users and passwprds ClusterWebminServers < Webmin < Doxfer

    which I do use and its not centrally managed

  9. #9
    Linux Newbie humbletech99's Avatar
    Join Date
    Nov 2005
    Posts
    225
    ok thanks... I'm not really into webmin but thanks for the recommendation.

    I'm thinking NIS/OpenLdap at this point.
    The Human Equation:

    value(geeks) > value(mundanes)

  10. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    That is not what I am talking about. Here is the high level view:

    1. Create a server that anyone who needs access to the DMZ can log into with their own account.

    2. Create individual ssh-key for every user on this server.

    3. Setup the servers in the DMZ to only allow ssh form this server with the users ssh-keys

    4. Setup the firewall to allow ssh to the DMZ only from this server.

    Now you have a central located server that everyone has to authenticate to before going to the DMZ.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •