I have a webapplication and I would like to provide the users with a feature to be able to ssh to the linux server without having to add all the users' credentials from the Psql DB to the linux server. Instead I would like to use the credentials directly for ssh. I think that this is possible using linux pluggable authentication modules (pam), however I'm don't know where to start and I would like some help?
You will need to set up pam_pgsql and nss_pgsql for users from database to become first-class citizens (local users). Then they will be able to ssh as easy as your users from passwd/shadow/group files.
Start with said packages installation and reading their configuration manuals. Remember: PAM is for authentication, NSS is for name-to-uid and back translations.
Related
I am new to Ldap. I'm using windows10 OS and I'm trying to connect to a remote ldap server in order to perform an ldapsearch operation. I have browsed about this but till now I have only come across very very complicated steps and I'm not sure if its the right way as well.
So can someone share the steps in order to achieve this?
I would rather recommend Apache Directory Studio that works pretty similar to any other kind of LDAP browse, such as the above mentioned Softerra.
However, on Wikipedia you can find an exhausting List of LDAP software.
You could use the an LDAP browser, such as the Softerra LDAP Browser.
https://www.ldapadministrator.com/softerra-ldap-browser.htm
Then you enter the URL and authentication data of the server where you want to connect and you're ready to browse the data.
You will probably pass a "bind DN" (which identifies the user) and the password of him.
I have currently installed gsutil on a server to access my GCS buckets. I followed the instructions under the section 'How to convert gsutil to use OAuth 2.0' from https://cloud.google.com/storage/docs/gsutil_install
The intermediate steps in the instructions require that a URL is copy pasted in the browser to generate a code that you have to enter again on the terminal. You also need to enter proxy server details (if any).
I am looking for ways to automate this set up and configuration process for gsutil.
Any ideas/references/suggestions/comments are welcome.
Thanks.
Can you say more about what you're trying to do? Are you looking to create distinct credentials for each of a set of users, or are you trying to set up gsutil running on multiple machines all as part of an application that authenticates as that application to Google Cloud Storage?
For the former you need users to set up their own credentials. The web-based dialog for OK'ing the creation of OAuth2 credentials was designed to make it unlikely that a customer could grant long lasting credentials without being aware that they are doing so (for security reasons).
For the latter you should use a service account (see https://cloud.google.com/storage/docs/authentication#service_accounts). You create those credentials once and then deploy them on your production machines along with gsutil - which is a valid security approach because all instances of those machines are authenticating on behalf of an application, not distinct users.
I installed Neo4J on a server of a hosting provider. The app that I run on it works fine. However, how would I access Neo4J shell? As I understand, I would do it through http://www.myapp.com:PORT normally (if I uncomment accept all internal connections in Neo4J config). But is there a way to access shell, admin and web interface without uncommenting those external connections line? Like directly from SSH for example? How?
Thanks!
There's a neo4j-shell command within the bin folder. That will give you ssh access to running queries against neo4j
So I'm setting up a dedicated server using Debian 5 Lenny. I will be using some Atlassian Tools (JIRA, Confluence, Bamboo, and Fisheye). I want to use a local LDAP server to store information for the users that will be accessing these software titles, so that they can use one set of credentials to log in.
I also want webmail users to be configured using LDAP.
However, this is a small operation. Three people. That's why all of the software, including the ldap server, will all be on the same machine.
That said, is it safe to use LDAP to store user credentials (including passwords) in LDAP without using Kerberos? I'm confused as to when Kerberos should be used.
Hypothetically, let's say I had two servers on a subnet. Server A received requests from the outside world, for atlassian tools. Server a communicates to ldap server (internally) on server b. In that case, would I use kerberos?
When do I use Kerberos? When do I not?
I am not setting anything like "Active Directory" up. No Samba either. Users do not need to login to a domain (with access to files on the domain), they just need to login to webapps. But if I was doing LDAP on it's own dedicated machine, then I might want Kerberos?
:confuzzled: :(
-Sam
The simplest possible answer is yes, it is possible to store user names, user ids, and passwords without using Kerberos, and in fact directory services accessed via LDAP are an excellent tool for storing this sort of authentication and authorization information.
Update:
In my opinion, if you do choose an open source server, you will find OpenDS to be superior to OpenLDAP or Apache.
Basically, if you have Kerberos, you do not need any directory server. If you aren't in a corporate environment and are looking for an identity management store, you should definitively go for a directory server like OpenLDAP or Apache Directory. Kerberos require running a correctly set up DNS and NTP server. This might be way to much. Even if you do, those lazy morons from Atlassian still did not implement Kerberos support into their products. You can't even go with that.
I just noticed that there are only three of you, maybe a simple database setup with MySQL would suffice instead of running a full-blown directory server?
is it possible to use the LDAP / Active Directory with OpenSSH ?
That is avoiding using the commands "mkgroup -d..." and "mkpasswd -d ..." of OpenSSH. These commands are used to define an user list allowed to access to the "ssh server" machine... and I would like to avoid having a fixed list not to have to relaunch the commands several times.
I use OpenSSH as a SSH server and putty as a client.
Thanks for your help
I can not determine which OS you OpenSSH is running on?
Assuming it it Linux/UNIX, AFAIK, you would want to setup using PAM (Pluggable Authentication Module).
Google for PAM LDAP Linux
One link is:
http://wiki.linuxquestions.org/wiki/Pam_ldap