0

At college I'm part of a group of students that keep a server infrastructure running for the students. Lately we've been having a lot of trouble with the servers, and we decided that it's probably better to start from scratch and reinstall everything.

Currently we use PAM (libpam-mysql) for user authentication. Users need to be able to use their accounts to login over SSH, FTP, SMB (Samba), mail servers, our website, and maybe in future also ownCloud. Most of the user management happens through the website (PHP, MySQL), which is also where users can configure their hosting packages (including vhosts). All the servers are running Debian.

One of the newcomers pointed out to me that if we're going to reinstall everything anyway, it's probably better for us to use Radius in stead of PAM. I myself (being relatively new) am not experienced with either two, and Google proved to be surprisingly unhelpful when doing some research on the matter.

For our use case, but also in general, which would be more suited? Does one have any big advantages over the other?

Thanks in advance.

RobinJ
  • 187
  • 1
  • 3
  • 14
  • 2
    LDAP is pretty much the standard nowadays. – Jenny D Mar 26 '14 at 15:53
  • 2
    `it's probably better for us to use Radius in stead of PAM` -- this ignores the fact that your Radius authentication would probably be implemented as a PAM module. Jenny is correct though, Radius should be avoided unless you have a mandate to integrate with an existing Radius server. – Andrew B Mar 26 '14 at 15:56
  • @AndrewB Thank you :) Might want to post that as an answer rather than a comment, though :p – RobinJ Mar 26 '14 at 15:58
  • 2
    We tend to shoot for comments when the premise of the question itself is flawed. The topic itself is basically "which is better, milk or cheese". One is milk, the other is an implementation of milk. – Andrew B Mar 26 '14 at 16:02
  • @AndrewB When we need to choose, we pick the solution that is best for our use case. For me that might be milk, for you that might be cheese. I don't think there's anything wrong with asking for advice? – RobinJ Mar 26 '14 at 16:04
  • 2
    This goes back to my first comment. PAM is how you would implement Radius authentication in many of those cases; ergo, you are comparing two things that cannot be compared. – Andrew B Mar 26 '14 at 16:06
  • Look for LDAP and Kerberos, maybe FreeIPA and make your Radius and PAM use that as a backend. – ptman Mar 26 '14 at 16:43

1 Answers1

5

It would be very hard to use RADIUS without using PAM. PAM defines an API for accessing credentials providers (and other session related stuff) which can be the usual files, NIS, LDAP, RADIUS....

The bit you're talking about changing is the credentials provider. There are places that PAM can't go - and to handle these cases it might be worth looking at whether the credentials providers which are supported are also supported under PAM (and note that in some cases it's possible to stack providers e.g. CAS on top of LDAP). Furthermore, PAM can use multipe credential providers.

You need to look at the estate for which you are trying to manage and identify what providers it could support, then think about how much effort is involved in configuring, coding and migrating.

(IME RADIUS never got much beyond authentication for network infrastructure - it's probably still worth considering if you need to implement EAP)

symcbean
  • 21,009
  • 1
  • 31
  • 52