[TUHS] YP / NIS / NIS+ / LDAP
norman at oclsc.org
Wed Nov 7 09:59:53 AEST 2018
A. P. Garcia:
I'd be interested in knowing where a pure unix environment
exists, beyond my imagination and dreams that is.
For starters, the computing facility used for teaching
in the Department of Computer Science at the University
of Toronto. Linux workstations throughout our labs; Linux
file servers and other back-ends, except OpenBSD for the
Kerberos KDCs and firewalls.
And yes, we use Kerberos, including Kerberized NFS for
(almost) all exports to lab workstations, which cannot
be made wholly secure against physical breakins by students.
(There's no practical way to prevent that entirely.)
Except we also use traditional UNIX /etc/shadow files
and non-Kerberized NFS for systems that are physically
secure, including the host to which people can ssh from
outside. If you don't type a password when you log in,
you cannot get a Kerberos TGT, so you wouldn't have access
to your home directory were it Kerberized there; and we
aren't willing to (and probably couldn't) forbid use of
.ssh/authorized_keys for users who know how to do that.
Because we need to maintain the password in two places,
and because we create logins automatically in bulk from
course-registration data, we've had to write some of our
own tools. PAM and the ssh GSSAPI support suffice for
logging in, but not for password changes or account
creation and removal.
Someday we will have time to look at LDAP. Meanwhile we
distribute /etc/passwd and /etc/shadow files (the latter
mostly blanked out to most systems) via our configuration-
management system, which we need to have to manage many
other files anyway.
More information about the TUHS