From: Bob Vickers (bobv@cs.rhul.ac.uk)
Date: Mon Jun 07 2004 - 10:56:53 EDT
I received a wide variety of suggestions. It appears that the later
versions of Tru64 give quite a variety of authentication options, but
4.0G is much more limited so I need to upgrade if I am to take
advantage of them.
Possibilities include:
LDAP
Shadow passwords (though incompatible with other unixes)
Microsoft NIS server
Advanced Server for Unix (ASU)
I still haven't decided which route to go, none stands out as being
the clear winner.
Thanks go to
Alaric Turner
Thomas Sjolshagen
Graham Allan
Ann Majeske
Damon Goforth
Rich Fox
for their replies, which I have included below.
If you are runnign a Windows Domain MS have shipped a NIS server as a
FOC add on, I haven't played withit with Tru64 but it does work nicly
with Win2k Active Directory & Linux (debian 3 & Mandrake) so should work
with Tru64..
http://support.microsoft.com/default.aspx?scid=kb;EN-US;324083 gives
more info.
Alaric Turner
---- Advanced Server for Unix (ASU) would let you do this (Tru64 UNIX doesn't support PAM, so not only would you need to write a PAM interface, you'd need to interface it with SIA (the Tru64 UNIX Security Architecture). As you probably have a Campus license, ASU is probably the most cost efficient way to go about getting Tru64 UNIX/Windows interoperability.. That, or LDAP.. Thomas Sjolshagen ---- Have you considered using an LDAP based authentication system? We are using it for a variety of platforms including MacOS X, MacOS X server, Tru64, Windows2K, and various flavors of Linux (including beowulf clusters). It certainly has eased administering user accounts across our systems. Our Tru64 systems are 5.1A though and I am not sure if the previous versions are capable. I believe the LDAP package was included in the Internet Express distributions. Rich Fox ---- I'm no expert, but I still get the feeling that Tru64 C2 security is incompatible with any other OS shadow passwords. I believe that in Tru64 5.x you can turn on only the shadow password function of C2, without all the otehr features, but it's still not compatible with linux, etc. We're looking at using LDAP to replace NIS here. Tru64 5.1B includes an LDAP authentication module. For earlier versions, you can install one from the Internet Express kit. This should give a common authentication system between Tru64, Solaris and Linux. Not sure about Windows. Samba can use LDAP for authentication, so if your Windows systems are in a domain with a samba PDC, that should do it (and that's what we're hoping will work here). There do seem to be some glitches with the Tru64 LDAP auth stuff, eg although we have it working, it doesn't seem possible to run it securely (using an SSL connection to the LDAP server). or rather, there are signs that this might be possible (from delving into the innards of the binary) but no documentation on it, or help from HP. Having said that, even without SSL it should be better than NIS or unshadowed passwords! Graham Allan ---- Later versions of Tru64 do have a "shadow password" option, but it is basically Enhanced Security with most of the stuff turned off. It will not interoperate with the shadow password option on other versions of UNIX. You might want to read up on "Single Sign On" for V5.1B. It may do some of what you want. All of the Tru64 manuals are on-line on the HP web site, you'd want to look in the "Security Administration" manual for V5.1B. The V5.1A Security Manual has some stuff that apparently disappeared in the V5.1B manual, so you might want to look at it too. Tru64 doesn't support PAM, it has it own security architecture, SIA. Ann Majeske ---- Damon M. Goforth referred me to an older message from Jonathan Williams (which Google fails to find!): Sent: September 12, 2002 9:36 AM To: tru64-unix-managers@ornl.gov Subject: SUMMARY: Shadow Passwd file requires C2? Ok...easy enough. You DO need to enable C2 security...but there is an option to ONLY add the shadow passwd functionality (I just used Sysman to change the security settings). I've done this on a test machine, and everything seems OK so far. Now it's time to read the secconfig man page. Thanks to the fast responses from: Rochelle Lauer, Ken Kleiner, and Paul Sand Jonathan Williams -----Original Message----- From: tru64-unix-managers-owner@ornl.gov [mailto:tru64-unix-managers-owner@ornl.gov] On Behalf Of Bob Vickers Sent: June 04, 2004 3:12 AM To: Tru64 Unix Managers Subject: Shadow passwords Dear Tru64 Managers, We have a mixture of Tru64, Linux, Solaris and Windows machines and I am looking at ways of simplifying our authentication mechanisms. It would be helpful if we could enable shadow passwords without all the complication of enabling Enhanced Security. I am almost sure that some time in the past I read that this is possible with later versions of Tru64, but I have googled and looked in manuals and can't find any reference to this. Is my memory letting me down? If it is possible could someone point me to the documemntation that describes how to do it? At the moment we are running 4.0G, but we could upgrade to a later version if there were sufficient motivation. Alternatively: is there a way of telling Tru64 to use a Samba PDC as authenticator (perhaps by compiling our own PAM interface)? This looks like the best option for Linux, Solaris and Windows. Thanks for your time, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:00 EDT