|
-
October 26th, 2005, 01:54 AM
#1
Second Linux Question
What: How can I maintain centralized control over a large system?
Explained: I need all system and user environment configurations to be controlled by a single point. Including the installation of trusted packages by normal users, screen resolutions, application paths, and login hours (controlling when users can access various resources) with automatic logout after a predefined idle term.
Why: Because frequently terminals do not have their access physically restricted and it is important that the same applications be made available to every system (ERP clients on engineering systems for example) and that every system be equally accessible… with the exception of restricted systems that may have additional resources or unrestricted access for select users.
Windows: In Windows this can all be done using a domain hierarchy and various group policies.
My Understanding: My understanding is that a NIS lacks the capability to push homogenous desktops based on the system class, lacks the granularity of security to allow and control package installation for users that are normally not able to install packages without creating serious security concerns. NISes are also unable to control user access times based on the system class, nor do they support automatic logout dependant on user activity.
Replies included (in order of popularity):
[list=1][*]There is no way to do this[*]There is no way to do this in Linux or Windows[*]KIOSK framework[*]LDAP[*]YAST[*]PAM[/list=1]
Most of these answers are incomplete... but I wonder if they can address all the points:
A single point of configuration for all systems covering:
- packages management
- application paths
- desktop environments
- session controls
- accountability across systems
I am leaning toward Linux can do this... but it requires a hell of a lot of work to set up... and even them I am not sure that it can handled package mangement or accountability in a manner that I'd be comfortable with.
This needs to be discussed more, because despite all my reading on this subject everything is still pretty blurry. I feel like Linux is capable, I just don't know how still.
cheers,
catch
-
October 26th, 2005, 03:22 AM
#2
catch,
I am currently trying to do just that, although with far fewer resources. What I have is several servers, all chrooted, and therefore unable to access the root of the filesystem they are running from. This is as close as I can get to havin individual servers.
I have PAM set up to query a mysql database, which contains all the usernames, passwords, and associated account information. Even shadow support is enabled, in that a normal user cannot pull the crypted password out of the database.
Additionally, I have installed a mysql module for NSS. The net effect is that, whenever the system queries information about a user, it looks first to local files, such as /etc/shadow and /etc/passwd, and if user information is not found there, queries the mysql database. In this manner, any application normally querying the system for user information can remain completely ignorant of the fact that this informaion is actually held in a database, unless of course it reads these files directly. This database contains all the group information normally contained within the passwd, group, and shadow files, although such support is certainly not as granular as Windows domain policies.
Webmin, for example, queries the passwd and shadow files directly, unless told to authenticate via PAM. When authenticating via PAM, the modules are stacked to first try pam_unix, and then pam_mysql. Should querying of pam_unix fail for whatever reason, the application can then use PAM to query the mysql database directly.
In some cases, the use of PAM has proven to be impossible, or time prohibitive, or simply not supported or too buggy at the current time. Some applications, such as Apache, are authenticating directly against the mysql database, with no intermediaries such as PAM or NSS.
I have found this solution to be quite flexible in the manner in which I choose to have applications authenticate users. I have yet to find an application which cannot authenticate against the mysql databse in one way or another. So in answer to your question, yes, I believe that a centralized user database can be created and maintained which can do what you are asking for, although support for it is still very sketchy, through the use of mysql databases. Although a user credentials and permissions database can be created, there is, to my knowledge, no standard method of authenticating against it as of yet. Each application must be configured and tested individually to work with that database.
So that at least covers session controls and accountability across system, but not yet package management, application paths, or desktop environments.
I have before created a roaming desktop environment for users by mapping the "\windows\documents and settings\%user%\desktop" directory to a network drive, and keeping those desktops on a file server... I believe that is what you are asking for with desktop environments?
So that leaves package management and application paths. But hell, 3/5 ain't bad...
NSS-MYSQL
PAM-MYSQL
Apache httpd mod_auth_mysql
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError community!
-
October 26th, 2005, 03:59 PM
#3
I'm with you catch. I believe it can be done, but it will take a lot of work and research. Since that's what you will probably be doing if you are serious about this, and you actually need to implement it, I'll let you do that  . Or maybe someone here has already done it.
-
October 26th, 2005, 05:43 PM
#4
The difficult part of these discussions is that there is no difinitive answers. At best there are partial answers but none all inclusive. I only saw the first and second question and after the discussion on the first and knowing basically what the needs are conceptually you would tend to believe the same arguments apply to the second(conceptually). I'm going to go out on a limb here and assume that it is also true with the remaining questions.
Now, to the second question. I answered it with Distributed Computer Environment(DCE). Back in the 80's and early 90's we used a system called Apollo Domain(later bought by HP to become HP-UX). DCE is a software system developed in the early 1990s by a consortium that included Apollo Computer. Apollo implemented DCE into the Apollo Domain OS.
My point is I am familiar with DCE and the functionality it can bring to a distributed environment and centrally administered. DCE is an open source project already ported to most major platforms(but not Linux at the time). There is now a port to Linux for called freeDCE. But now the question begs how mature is it and it brings us right back to the same arguments from the first question.
I believe DCE can(conceptually) answer all the points in question two, but only for the major platforms. As for Linux and the FreeDCE project, we again are stuck with all the same problems from question one. The project is still in development, would it be worth the time and effort to implement it, and is it worth the gamble to attempt it and find out to late that it falls short. I myself am a bit rusty with DCE since it was over 20 years ago
To get a high level understanding of DCE go to this link:
http://en.wikipedia.org/wiki/Distrib...ng_Environment
Here is the consortium home page for DCE:
http://www.opengroup.org/dce/
Here is the Linux port:
http://sourceforge.net/projects/freedce
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
-
October 27th, 2005, 03:05 PM
#5
Package management: the Gentoo system, 'portage', is very mature, very, very easy to use.
The only issue is that it compiles everything from source, which can be problematic for people who need an application yesterday (but what kind of admin are you?); it does accept precompiled packages, however, and can handle .rpm and the such pretty well.
Actually, everything you are mentioning *is likely to change* from distribution to distribution, because (yawn) Linux is just the kernel, the OS is GNU/Linux, and people will install software wherever the hell they damn please.
User info and settings are saved in the user's home directory as hidden files (there is a period in front of the filename, like such : .xmms)
Just the same, there isn't just one shell. You have sh, csh, tsh, bash, ksh, zsh, etc etc. Hell, you can use a special program as a login shell if you want, so that users don't even have a chance to type a command, they're in the program from when they log in to when they log out (and then it's the programmer's problem to make sure they stay trapped in there).
-
October 27th, 2005, 11:14 PM
#6
Ok, I'll mark this one up as "it can be done (maybe, the pushed installs is still iffy as is administrator accountability over all these accounts) in theory" unfortunately I could never sell such an answer to operations.
This makes Linux 0 for 2.
cheers,
catch
-
October 28th, 2005, 04:51 AM
#7
How can I maintain centralized control over a large system?
Trying to build a botnet? Yeah, windzz is prolly better for that...
I came in to the world with nothing. I still have most of it.
-
October 28th, 2005, 05:00 AM
#8
Originally posted here by catch
Ok, I'll mark this one up as "it can be done (maybe, the pushed installs is still iffy as is administrator accountability over all these accounts) in theory" unfortunately I could never sell such an answer to operations.
This makes Linux 0 for 2.
What, you can't sell a house of cards built on a foundation of assumption? C'mon, where is the risk.... better yet, where is the risk management. I wouldn't feel too assertive either about placing that in a proposal.
Let's see what I can bring to the party. Your network authentication and management here rides on the probity of the master server/system NIS is on, and its slave. Well, that pestiferous trusted path just keeps riding your ass doesn't it linux? God forbid you give away the super special user credentials to a spoof login. Then you're gonna learn real quick how fast your domain, users, users passwords and master password can be tweaked by a seventeen year old. I don't think I need to remind you, but NIS has been the favorite starting point for many successful penetrations in UNIX alone. God forbid any design flaws in the code of NIS implementations.
I know you were asking about what it could handle, but I just thought I'd throw that in.
-
November 9th, 2005, 05:14 AM
#9
I'm no expert in these fields and I'm not sure you want to know what vendors like Sun are doing, but Java Desktop System (JDS) has a mechanism to do something like that.. (it's not free...)
http://www.sun.com/software/controlstation/
news worthy not long ago:
http://www.desktoplinux.com/news/NS5006457753.html
Hope that's interesting if its not particularly helpful...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
