[opensuse] Using google for authentication?
Hi list, - just an idea...would it be possible (has anyone done it) to use your google login to authenticate your access to your central openSuse box? - or perhaps openID? - a kind of replacing YP/NIS with a globally available service, at least for authentication... -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2010-06-14 at 12:10 +0200, Verner Kjærsgaard wrote:
Hi list, - just an idea...would it be possible (has anyone done it) to use your google login to authenticate your access to your central openSuse box?
Possible, sure; aside from being a horrible idea. [Authentication fails if the Internet connection is down, or if the provider changes their API, hostname, etc...]
- or perhaps openID?
Yes Hard part, for either, is you would need to dynamically allocate UID/GID upon successful authentication [much like Samba's winbind can do for AD domain authentication]. And you'd need to keep an idmap to remember the token:UID pair so the user got the same one next time.
- a kind of replacing YP/NIS with a globally available service, at least for authentication..
Should be trivial for authentication services, like Cyrus IMAPd or web
applications (perhaps using saslauthd) that don't require a 'system
account'. Otherwise you have to dynamically generate the system account
- which also shouldn't be too hard, but with significant downsides.
Since at least OpenID could potentially have a local provider that
seems, at least to me, kind of an interesting solution.
--
Adam Tauno Williams
El 14/06/10 08:01, Adam Tauno Williams escribió:
On Mon, 2010-06-14 at 12:10 +0200, Verner Kjærsgaard wrote:
Hi list, - just an idea...would it be possible (has anyone done it) to use your google login to authenticate your access to your central openSuse box?
Possible, sure; aside from being a horrible idea. [Authentication fails if the Internet connection is down, or if the provider changes their API, hostname, etc...]
Not necessarily, If the provider is down, system can fallback to other metnhod. I guess ChromeOS has bits to do that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2010-06-15 at 14:24 -0400, Cristian Rodríguez wrote:
El 14/06/10 08:01, Adam Tauno Williams escribió:
On Mon, 2010-06-14 at 12:10 +0200, Verner Kjærsgaard wrote:
Hi list, - just an idea...would it be possible (has anyone done it) to use your google login to authenticate your access to your central openSuse box?
Possible, sure; aside from being a horrible idea. [Authentication fails if the Internet connection is down, or if the provider changes their API, hostname, etc...]
Not necessarily, If the provider is down, system can fallback to other metnhod.
There is something like that with active directory login. Perhaps the same thing could be used here. But this would mean that anyone with a google account could, for example, ssh into your machine. I don't even like that this is the case with all the people in my company via active directory (can't limit it to certain patterns, or even a list of users - too bad). All google users? Surely someone would find a way to abuse that! -- Roger Oberholtzer Ramböll RST/OPQ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer skrev:
On Tue, 2010-06-15 at 14:24 -0400, Cristian Rodríguez wrote:
El 14/06/10 08:01, Adam Tauno Williams escribió:
On Mon, 2010-06-14 at 12:10 +0200, Verner Kjærsgaard wrote:
Hi list, - just an idea...would it be possible (has anyone done it) to use your google login to authenticate your access to your central openSuse box? Possible, sure; aside from being a horrible idea. [Authentication fails if the Internet connection is down, or if the provider changes their API, hostname, etc...] Not necessarily, If the provider is down, system can fallback to other metnhod.
There is something like that with active directory login. Perhaps the same thing could be used here. But this would mean that anyone with a google account could, for example, ssh into your machine. I don't even like that this is the case with all the people in my company via active directory (can't limit it to certain patterns, or even a list of users - too bad). All google users? Surely someone would find a way to abuse that!
Thanks to all for their participation in this discussion :-) I feel I better explain my reasons for asking.. I manage our school IT...well actually I don't, but somehow it always seems to fall back onto my shoulders... We wish to employ google-apps for as much as possible, starting mid-august. This means managing google-apps with 250+ accounts and all. At the same time, I (unfortunately) have to maintain some local storage and some local apps served to some of the users by means of KIWI/LTSP. In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users).
googlen on how to setup "pam_google" . -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-06-16 at 14:32 -0400, Cristian Rodríguez wrote:
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). googlen on how to setup "pam_google" .
A PAM module won't make Samba authentication work.
--
Adam Tauno Williams
On Wed, 2010-06-16 at 20:45 -0400, Adam Tauno Williams wrote:
On Wed, 2010-06-16 at 14:32 -0400, Cristian Rodríguez wrote:
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). googlen on how to setup "pam_google" .
A PAM module won't make Samba authentication work.
What do you mean by 'samba authentication'? Isn't that done by you for each user via smbpasswd? That is for accessing shares. It does not log you in to the machine to run commands. Are you doing something else with this? I use active directory to validate users. It is set up in samba. And there is a PAM module as part of it. Note that the same person who logs in via google and via some sort or samba would surely be considered two different users by the system. With different homes. Why do you have both methods? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Roger Oberholtzer skrev:
On Wed, 2010-06-16 at 20:45 -0400, Adam Tauno Williams wrote:
On Wed, 2010-06-16 at 14:32 -0400, Cristian Rodríguez wrote:
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). googlen on how to setup "pam_google" . A PAM module won't make Samba authentication work.
What do you mean by 'samba authentication'? Isn't that done by you for each user via smbpasswd? That is for accessing shares. It does not log you in to the machine to run commands. Are you doing something else with this?
I use active directory to validate users. It is set up in samba. And there is a PAM module as part of it.
Note that the same person who logs in via google and via some sort or samba would surely be considered two different users by the system. With different homes. Why do you have both methods?
Hi... By SAMBA authentication I simply mean supply a username/pw and gain access to your share - which usually would be something like /home/peter/. Made accessible to windows users by means of a standard share in smb.conf. I cannot have and do not have a Windows AD controller. The only thing I'd like to have was some sort of automtics taking the burden of keeping dual account up-todate. But I don't (at first) see the problem with users homes. The path to the users home is given in /etc/passwd. Which then consults shadow or whatever for pw authentication? Thanks you to all! -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2010-06-17 at 09:06 +0200, Verner Kjærsgaard wrote:
Roger Oberholtzer skrev:
On Wed, 2010-06-16 at 14:32 -0400, Cristian Rodríguez wrote:
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). googlen on how to setup "pam_google" . A PAM module won't make Samba authentication work. What do you mean by 'samba authentication'? Isn't that done by you for each user via smbpasswd? That is for accessing shares. It does not log you in to the machine to run commands. Are you doing something else with
On Wed, 2010-06-16 at 20:45 -0400, Adam Tauno Williams wrote: this? I use active directory to validate users. It is set up in samba. And there is a PAM module as part of it. Note that the same person who logs in via google and via some sort or samba would surely be considered two different users by the system. With different homes. By SAMBA authentication I simply mean supply a username/pw and gain access to your share - which usually would be something like /home/peter/. Made accessible to windows users by means of a standard share in smb.conf. I cannot have and do not have a Windows AD controller. The only thing I'd like to have was some sort of automtics taking the burden of keeping dual account up-todate. But I don't (at first) see the problem with users homes. The path to the users home is given in /etc/passwd. Which then consults shadow or whatever for pw authentication?
False. Samba does not use /etc/passwd;/etc/shadow for authentication.
It retrieves the home directory of a user from /etc/passwd via NSS, but
it does not use the password crypts from those files [at least no unless
you've gone around and hacked the registry of every windows PC, as they
will wisely refuse by default to use the insecure authentication
mechanism that permits CIFS authentication via PAM].
--
Adam Tauno Williams
On Thu, 2010-06-17 at 08:26 +0200, Roger Oberholtzer wrote:
On Wed, 2010-06-16 at 20:45 -0400, Adam Tauno Williams wrote:
On Wed, 2010-06-16 at 14:32 -0400, Cristian Rodríguez wrote:
El 16/06/10 03:15, Verner Kjærsgaard escribió:
In order to avoid double administration of usernames/passwords, I would very much like to query the individual users google account for authentication to login to the central openSUSE box. And, if possible, also grant access to the individual users SAMBA share (served to the poor windows only users). googlen on how to setup "pam_google" . A PAM module won't make Samba authentication work. What do you mean by 'samba authentication'?
Providing credentials to Samba for accessing a share/service.
Isn't that done by you for each user via smbpasswd?
Depending upon your configuration.
That is for accessing shares. It does not log you in to the machine to run commands. Are you doing something else with this? I use active directory to validate users. It is set up in samba. And there is a PAM module as part of it.
Samba does *not* use the PAM modules; the PAM modules uses Samba. The module allows the *system* to authenticate users [for shell access, etc..] via Samba. You do not authorize Samba access via the module.
Note that the same person who logs in via google and via some sort or samba would surely be considered two different users by the system. With different homes. Why do you have both methods?
Samba does not authorize users using PAM - it is *not possible*. To
authorize the connection from a Windows PC the server must support NTLM
[probably NTLMv2] authentication. PAM is for simple chat/expect
authentication. Even the PAM Kerberos modules supports
username/password authentication against a KDC - it does not support
"Kerberos authentication".
--
Adam Tauno Williams
On Thu, 2010-06-17 at 05:53 -0400, Adam Tauno Williams wrote:
I use active directory to validate users. It is set up in samba. And there is a PAM module as part of it.
Samba does *not* use the PAM modules; the PAM modules uses Samba. The module allows the *system* to authenticate users [for shell access, etc..] via Samba. You do not authorize Samba access via the module.
I did not say who used whom. Just that there were two parts to the puzzle: samba and a pam module. It is of course exactly as you described it.
Note that the same person who logs in via google and via some sort or samba would surely be considered two different users by the system. With different homes. Why do you have both methods?
Samba does not authorize users using PAM - it is *not possible*. To authorize the connection from a Windows PC the server must support NTLM [probably NTLMv2] authentication. PAM is for simple chat/expect authentication. Even the PAM Kerberos modules supports username/password authentication against a KDC - it does not support "Kerberos authentication".
No issue. I guess I am confused why samba user configuration and google authentication for login are discussed together in the original post. Perhaps google authentication is not wanted for login, and is only wished by the OP to be used by samba to authenticate access to shares. If so, that is different than how I interpreted the original post. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Adam Tauno Williams -
Cristian Rodríguez -
Roger Oberholtzer -
Verner Kjærsgaard