Authentication in Unix/Linux environments has been forced to evolve in order to meet the needs of an evolving networking model. In the beginnings, we had a centralized model where a big computer provided services to a lot of terminals connected through serial lines. In this scenario, authentication and authorization information was stored in text files under the /etc directory. These files (commonly /etc/passwd, /etc/shadow and /etc/group) are still used in simple installations involving just a few computers (single workstations, small home networks,...).

However, as computing power became cheaper, terminals were progressively abandoned in favor of full blown computers. The flat files system became obsolete, as the creation or modification of an user implied modifying these files in every computer in the network. This is where NIS (Network Information System) appeared, developed by Sun Microsystems in their Solaris operating system, providing a central server where all this information was stored. NIS+ appeared as an evolution of NIS, with a complete redesign of the system. NIS and NIS+ are no longer developed, and Solaris 9 will be the last version of the operating system that supports NIS and NIS+ by default.

Anyway, losing the security provided by physical direct serial links presented new and significant problems, specially the need for secure interactions in an untrusted environment. In 1983, Massachusetts Institute of Technology (MIT) embarked on a large-scale network project named Athena, facing these problems. To overcome these problems, Kerberos was developed. Kerberos is a network authentication protocol, designed to provide strong authentication for client/server applications by using secret-key cryptography.

Another piece that comes into play when talking about authentication services is LDAP (Lightweight Directory Access Protocol). LDAP is a standard for a directory access protocol, derived from the much more complicated and expensive to implement X.500. The relative simplicity of the protocol has made possible the availability of a lot of LDAP servers, including open source solutions as OpenLDAP. The possibility of storing information in a centralized directory has made LDAP servers a common piece of the authentication infrastructure found in networks with more than a few computers.

In addition to this, Unix and Linux systems provide the PAM (Pluggable Authentication Modules) service. This service provides a standard method for configuring authentication systems on Unix and Linux operating systems. Different PAM modules can be used to provide different methods of authenticating a user and obtaining account information from several sources (flat files, NIS/NIS+, Kerberos, LDAP, whatever you may imagine as long as you provide a suitable module). Commonly used in combination with PAM we have NSS (Name Service Switch). This service controls how a client machine or application obtains network information. Particularly, this service may control the source from where a machine may get the authorization information for an user trying to log in (user id, groups the user is included in).

At this point we have presented (almost) all the pieces that will take part in our desired authentication infrastructure. We intend to have a central authentication server, where we centralize, using Kerberos and LDAP, all the authentication and authorization information of the users of our network. Every computer in our network will be configured using PAM and NSS so the authentication and authorization process is made against this central server. This HOWTO intends to provide a guide to install and configure a central authentication server using Kerberos, LDAP, PAM and NSS. Providing a tutorial of Kerberos, LDAP, PAM or NSS is out of the scope of this HOWTO, so at least a basic knowledge of them is required in order to understand the concepts and steps explained in this HOWTO. Should you need more information about these topics, feel free to browse the links provided at the end of this HOWTO.

We will be using Gentoo Linux to implement the central authentication server as our distribution of choice. Anyway, the concepts and configuration files presented here may be used with little changes on any other Linux distribution.