[KLUG Members] Security setup ...

[Adam Tauno Williams]

> > what is
> >your current distro of choice? 
> "Dealing" with Debian (Sarge) for right now, but as our Electronic Software
> Distribution tools continue to develop, we will probably simply download
> source  for everything we need and cook our own. Various politics / slop 
> around the  Debian community are getting a bit annoying. Yet for the most 
> part there  does not exist the tone of things not working between releases 
> of Debian as compared to Adam mentioning that, I believe it was LDAP, does
> not mesh well between SuSE releases. If Debian started that kind of slop
> then we would be OUTTATHERE!

Since 9.2 SuSe has cleaned up its act allot, and initially looking at 9.3 it has
gotten even better - in regards to LDAP/OpenLDAP.

We use LDAP (obviously) allot;  our DNS, out DHCP, etc... all runs on top of
LDAP.  This was a hack in 9.0, 9.1, but was built into both DNS and DHCP
packages for 9.2.  The DHCP server has a crashing problem when using LDAP but
contacting SuSe I got through to the LDAP-guy (we don't have support or
anything) and the bug was fixed and a nex package issued in ~48 hours.  They
have builds of the latest OpenLDAP releases usually within a few days of the
release announcement, even the 2.3.0alpha branch.  Something has really lit a
fire under them in terms of LDAP support;  so any past criticism of SuSe on that
front has been recinded.

I don't yet know if their 9.3 SASL packages contain the ldapdb connector yet for
use with the proxy-authz for DIGEST authentication.

> I believe GenToo is the source based one that also caught our interest, just
> not on any boxes at this time.

This everything-built-from-source approach is something I just don't get.  It
seems to just introduce room for allot more bugs - compilation/packaging can as
easily introduce problems as can bad code.

> >and my
> >desktops are behind a firewall anyway=
> In a small controlled environment, that might be adequate security. In the
> "real world" where people hand install things on their non locked down
> computers, or people bring laptops in and out, it is not safe to consider
> perimeter security sufficient.

True, but I think EAP/TLS is the real answer for this - just keep unauthorized
boxes off the net.  But other than XP not much supports it.