Reviewing options for single sign-on in Ubuntu 7.10 (Gutsy Gibbon)

Single sign-on is the desire to have 1 set of authentication credentials and account information per user on a network. It’s a problem with which institutions large and small struggle. For large institutions the problems are often related to scalability and compatibility with large numbers of disparate systems. For smaller organizations the issues are often related to the manageability of the infrastructures. Finding a solution with the right fit for a particular network can be daunting to say the least. I decided to review what the options were to consider implementing one of them for a network with about half a dozen users and about 50 systems (many virtualized).

LDAP + Kerberos

Essentially this choice would emulate Microsoft’s Active Directory. Kerberos would be used for authentication via passwords and LDAP would store the account information including group memberships and other authorization information. This is a heavyweight solotion that is more suitable for a large network or where interoperability with Active Directory was important. I have also heard concerns from those who have implemented LDAP storage in GNU/Linux that there are issues scaling to large numbers of users.

• SingleSignOn (Ubuntu Wiki)

NIS (Network Information Services)

NIS has been around a long time, and while not often highly regarded it is at least fairly well understood in theory and in practice. There is quite a bit of infrastructure to maintain in an NIS setup: a master server, slave servers, and client daemons. I wasn’t sure my needs would lead to less work given the level of additional infrastructure required. Installing the nis package also installs portmap which conflicts with harden-servers, a package designed to prevent packages with known security issues from being installed. NIS also sends data in plaintext and therefore must be used in conjunction with some sort of encryption such as a VPN or SSL tunnel.

• Sharing logins on multiple machines using NIS
• Linux NIS/NIS+ Projects
• Debian NIS Howto
• The Linux NIS(YP)/NYS/NIS+ HOWTO
• FreeBSD Handbook: Network Information System

NSS (Name Service Switch)

There are a number of nss modules that can be used to store account and password information to supplement the local system.

libnss_mysql OR libnss_msql_bg

The naming conventions for these packages is very confusing which makes the research difficult. However these seem to be the most well documented ways to use a relational database to store account information. However, to get a truly robust architecture it seems that setting up database replication would be necessary. It’s possible that using some sort of caching mechanism might increase the reliability. Note that despite some documentation to the contrary one should not need the libpam_mysql package. NSS should handle all the authentication details.

To clarify:

• libnss-mysql = libnss_mysql_bg package
  • version 1.5
• NSS MySQL = libnss_mysql package
  • version 1.0 which is version 0.43 of NSS MySQL plus some bugfixes from the Debian maintainer

More information:

• MySQL-based Authentication with NSS-MySQL

“Just Kerberos” or “Just PAM”?

Both Kerberos and PAM (Pluggable Authentication Modules) only handle authentication. You can use them for single sign-on passwords but not for account information such as home directory or UID. This information must remain consistent across machines to be considered a true single sign-on solution.