Hey Sorin, I'm getting ready to catch a plane to Dubai but wanted to answer you real quick and short: SSL for smaller networks in terms of authentication is fine and secure - as long as your infrastructure is secure. I'm glad to hear your using VM's more and more. It give you a lot more control to manipulate, change and recover from 'all kinds of errors' - tweaking .conf files, someone having 'root' or 'admin' on you as you have to trust someone/sometime... .. anyway, um, I'm hoping you consider the SSL implementation if you have to do something 'quick..' if not, Kerberos will certainly help you from getting 'fired ..' it won't be the reason you do anyway.. About the previous post about IPA - you're hitting LDAP anyway (that is AD) and probably a few more out there if you're somewhat of 'shop' with stuff everywhere...... IPA was hacked by a user group (exploit) in Seattle - and you get what 'you don't pay for' sometimes. Having said this, all these tools at the end of the day generally get the job done, the truth is 'what are you protecting..' and from 'what..' usually determines the component and/or tool you'd want to entertain. Once you have it in-house // and your name is on it.. // and it's in Production, really HARD to back out, in some cases impossible.. Case in point: TARGET was hacked by a 17-year old punk with no date on a Friday night... ... and, well, they went from an 'openSource (which I FIRMLY believe in)' to a mix-bag implementation to include Oracle and IBM SSO/IdM implementation .. They removed Kerberos out of the equation - mixed SSL with a non-REAL x.500 compliant LDAP, we can say it has the letters DA in it but you can 'reverse' that and come up with a name... ....and then, so it goes, BAM! someone's inside.. You see, the problem here is many will jump in and recommend a solution because 'they worked with it... and in most cases, IT IS all they know...' You drive this car, you love it more than all other cars but have yet to drive the other cars and see for yourself... Point is, milage may vary and WILL and I will say this in my last post here on this thread, I've been in court as a witness during DoD audits and it was always, 'we went with a solution' that was proven and tried.. and recommended... TRIED by who? Recommended by who?? Best practices?? Just a collective agreement by a bunch of dweebs that say, yeah, that sounds right. Message is: For what you need Kerberos would work and should work. Enough documentation out there... and such to help you... Also, YouTube, believe it or not has a lot of posts (many by myself but in my alter ego name, which are many) even this name is not real, but as I was saying - a ton of info. It's funny what qualifies as a guru as at one time there was no Google to get an answer and rattle a 'solution' All my recommends is actual dogfood I have eaten and I don't want to see the same thing happen to others as this Security business is getting out of hand with all 'these experts' that truly don't have the heart to do what you're doing and get it done right and to care enough to do that. SSL is implemented on every WebApplication Server, product that is Internet based except UDP - good luck with that... but having said that, you can surely -- do this with SSL and/or Kerberos.. Anything else, you're going to pay for it. Here's a snip and it comes down to your infrastructure, what you do for a business, who your audience is/what they do once they do have access.. who wants your information, risk assessment is big here... and then there you go. If you really wanted security.. you'd put another wrapper around this using a SSO tool, Access Manager -- and combined the Kerberos ticket into the packet once the SSL header is created with the credentials and CERT it down the wire. NO ONE IS GETTING IN, especially that 17-year old with a runny nose that mom is paying for his college is trying to do... Crazy world... Too bad we can meet these guys in person.. It would be a whole different world. Sorry so long.. I post a few times of year to help those that are really burning the oil at night. GOOD LUCK. 1. Kerberos SSL/TLS 2. LDAP has industrial strength protection build in if you hash the passwords/encrpt 3. Stay away from ANYTHING MICROSOFT security - Enter: Oxy-moronic 4. An openSource SSO tool built on JBoss or Tomcat THis is the real world right now.. And if anyone challenges, like the song says, it surely means they don't know: Carry on....... Wizard of Hass -- Real men write their own device drivers ~ A. Tuckett On 1/29/2014 1:49 AM, Sorin Srbu wrote: >> -----Original Message----- >> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >> Behalf Of Jeffrey Hass >> Sent: den 29 januari 2014 09:49 >> To: CentOS mailing list >> Subject: Re: [CentOS] NIS or not? >> >> Good call - not sure how far your coding goes and with what/how >> languages and scripts... >> Make sure to have as much as possible on VM's related to your security >> 'servers' -- so that you also get a virtual built in Disaster recovery as >> well. > My Google Fu is usually okay. ;-) > > We've started offing physical servers in favour of virtual ones. So far mostly > Windows servers, but I've started testing e.g. Owncloud on a virtualized > CentOS guest. More Linux-machines are likely to be virtualized in due time. > We (well, I actually...) decided on standardizing on Hyper-V as there was a > really good P2V-tool available for migrating Windows servers. We had lots of > them... > > >> Note: I didn't catch it are you using the Microsoft's implementation of >> Kerberos? > We do have a Windows AD in place, it's the main IT here, but it's soon to be > migrated to the central university IT-dept. One less thing to worry about... > *nix was originally only a group-business at the dept., but over the years the > Linux-ratio has upped considerably, what with backup-servers etc. running on > Linux as well as us affording more machines for the original CADD-group. > > >> There's a reason I ask, you said you need to do something,, sounds like >> fairly quick, probably a good thing, >> if nothing else get centralization = control! - more so -- than before ~ >> and so it goes, you will have encapsulated >> tickets on steroids, to be sure.. but if you're the only person.. is >> your shop that big that SSL wouldn't do the trick? > SSL? How do you mean? Can you elaborate a bit? > > -- > //Sorin > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos