OpenBSD Journal
Contributed by merdely on from the backward-medical-school-is-scary dept.
Jared Solomon asks Undeadly:
I'm stuck at a backward medical school -- we don't have a proxy server to authenticate off campus students to use the library electronic resources. I've made a proposal for an OpenBSD/Squid/NTLM system, but with exams, and being a couple of years out of the BOFH game, I'm not getting as far as I'd like.
Help!
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By bofh_hannibal (85.10.196.173) on
so, i could help if you would.
what do you need exactly ?
bofh - call rtfm
By Anonymous Coward (142.205.240.4) on
Comments
By Jared (69.57.241.219) jjsolomon@gmail.com on
Mostly a nice fancy, easy tutorial. The IT wonks here are generally a Windows/Mac shop and I'm unfamiliar with the options on those two platforms.
Generally what I'm wanting is a service that will hit their existing Windows authentication service (XP, NTLM, primary domain controller) to authenticate and allow students to use a few sites only available from campus, e.g. Up-to-date, and some other research subscription resources. I thought about a VPN, but writing instructions capable of being understood by 1300 students is something I'm not sure I can do for a VPN.
I looked at authpf, and if it will do it on it's own that will be great. I just couldn't find the right things when I was doing some web searches for a reverse proxy (out to in, not in to out)
Comments
By Anonymous Coward (216.68.196.45) on
Caution:IANAL (I Am Not A Lawyer), but Copyright cops are just looking to sue somebody, and make an example out of them.
I don't think it is wise to get involved with this effort, you apparently are not qualified to handle the IT, as you mean, and if any misuse, grr.
Fair use is scary. I read about a Major law firm that only purchased 2 copies of a subscription, then claimed fair use, and made some extra copies around the office. Sued, settled, whatever, but $500,000 mistake. Ouch.
Licensing of service as you might wish might exceed access. Heck, if any security issues happen, you will be blamed.
Get stuff in writing by heads of department if you do whatever, even still, IANAL.
Hate to rain on your effort, but do you want to risk your bright future on current IT 'problems?' Also, lots of free med info out there, Pubmed, etc... Maybe just some organization and referencing to your local resources. Think outside of the box.
Best of luck.
Comments
By Anonymous Coward (69.3.44.234) on
Most med schools (I'm at one) usually have VPN set up to allow for this. It's pretty standard.
By vext01 (194.66.67.39) on
There were some leaflets floating around at OpenCON that might do well as "marketing" material. Is there a PDF of them some place he can use?
Regards
By Ray Percival (sng) on http://undeadly.org/cgi?action=search&sort=time&query=sng
By Joe Price (75.144.71.81) on
By jlf (66.10.26.253) on
The above is what is recommended for a long-term solution for web-based access, and it allows each participating school to issue their own credentials. However, it sounds like you're looking for something quicker to implement, and perhaps your school is the credential issuer. In that case OpenVPN with the terminating end-point on an OpenBSD firewall might work. Configuring and deploying Microsoft clients are easy enough too.
Comments
By Anonymous Coward (24.37.242.64) on
> However, it sounds like you're looking for something quicker to implement, and perhaps your school is the credential issuer.
> In that case OpenVPN with the terminating end-point on an OpenBSD firewall might work.
> Configuring and deploying Microsoft clients are easy enough too.
I completely agree on OpenVPN and how easy it is to distribute custom user installable, pre-configured msi packages for the MS clients and other OS's too are easily supported with OpenVPN too.
By Marc Balmer (2001:8a8:1001:0:216:76ff:fe72:356c) on
Comments
By Anonymous Coward (24.37.242.64) on
>
I for one, and I'm sure many others too, don't follow the mailing list and if I search them, then it's only for something specific that I would be looking for. I think this is good to hear people's feedback on such posts/questions and for others to share and collaborate ideas.
But in regards to your first sentence, I think a separate 'forum' on undeadly would be nice and would be better suited to be there than the main page.
Just my $0.02.
Comments
By Anonymous Hero (142.205.240.4) on
> >
>
> I for one, and I'm sure many others too, don't follow the mailing list and if I search them, then it's only for something specific that I would be looking for. I think this is good to hear people's feedback on such posts/questions and for others to share and collaborate ideas.
>
> But in regards to your first sentence, I think a separate 'forum' on undeadly would be nice and would be better suited to be there than the main page.
>
> Just my $0.02.
>
If you want a forum, then bsdforums.org has a nice, helpful community. If for some reason you don't want to use the mailing lists, then you can use bsdforums.org. I like to poke about both, personally.
Comments
By Anonymous Coward (24.37.242.64) on
> > >
> >
> > I for one, and I'm sure many others too, don't follow the mailing list and if I search them, then it's only for something specific that I would be looking for. I think this is good to hear people's feedback on such posts/questions and for others to share and collaborate ideas.
> >
> > But in regards to your first sentence, I think a separate 'forum' on undeadly would be nice and would be better suited to be there than the main page.
> >
> > Just my $0.02.
> >
>
> If you want a forum, then bsdforums.org has a nice, helpful community. If for some reason you don't want to use the mailing lists, then you can use bsdforums.org. I like to poke about both, personally.
Last I checked, the latest version of OpenBSD was 3.8 on there and postings seem to be from 2006, we're almost 2008. Otherwise, seems like it would be good if it were maintained but would be better with less of a 'FreeBSD' look and feel to it. =)
Comments
By tedu (38.99.3.113) on
> > If you want a forum, then bsdforums.org has a nice, helpful community. If for some reason you don't want to use the mailing lists, then you can use bsdforums.org. I like to poke about both, personally.
>
> Last I checked, the latest version of OpenBSD was 3.8 on there and postings seem to be from 2006, we're almost 2008. Otherwise, seems like it would be good if it were maintained but would be better with less of a 'FreeBSD' look and feel to it. =)
if you actually go to the forums you will see they are current.
By Anonymous Coward (193.63.217.208) on
>
Not everyone reads the lists and it's not like a flood of Ask Undeadly articles is likely to sweep the others off the front page. If an article doesn't interest you, skip it.
Comments
By Anonymous Coward (206.248.190.11) on
> >
>
> Not everyone reads the lists and it's not like a flood of Ask Undeadly articles is likely to sweep the others off the front page. If an article doesn't interest you, skip it.
That's what they said about the stupid ports postings too. But look at the site now, its almost entirely useless crap like that.
Comments
By Mike Erdely (merdely) on http://erdelynet.com/
> But look at the site now, its almost entirely useless crap like that.
Too bad all you cowards do is run your mouth instead of contribute to Undeadly's content.
Comments
By Anonymous Coward (206.248.190.11) on
> > But look at the site now, its almost entirely useless crap like that.
>
> Too bad all you cowards do is run your mouth instead of contribute to Undeadly's content.
Go back to slashdot you whiner.
Comments
By Anonymous Coward (71.139.239.77) on
> > > But look at the site now, its almost entirely useless crap like that.
> >
> > Too bad all you cowards do is run your mouth instead of contribute to Undeadly's content.
>
> Go back to slashdot you whiner.
Uh, you do realize ME's been contributing more than you have, right? But since you're putting enough effort to spam mod's, I'm sure the community would be happy to see your contributions.
By Anonymous Coward (2001:16d8:ff55:1:215:ff:fe29:12a3) on
By TylerEss (69.42.249.191) on
A canned app might not be as good, but it's at least got an 800 number to call when trouble occurs.
Comments
By Chris Kuethe (129.128.11.75) ckuethe@ualberta.ca on
I'm unimpressed by our installation of ezproxy. Then again, we have the infrastructure (ie. kerberos) to support centralized authentication, and the expertise to make this work w/ openbsd. But I still hear the occasional complaint about ezproxy, and I shrug and tell the user who they should be complainting to (not me).
By Anonymous Coward (121.44.65.82) on
B: Squid to AD from winbind is sucks bad on Linux, sucks even worse on OpenBSD
C: That Gauntlet style crap is yesterday's solution, today we use AuthPF or VPN.
D: Spend five minutes on Google before asking these sorts of questions.
Comments
By Jared (69.57.241.219) on
>
> B: Squid to AD from winbind is sucks bad on Linux, sucks even worse on OpenBSD
>
> C: That Gauntlet style crap is yesterday's solution, today we use AuthPF or VPN.
>
> D: Spend five minutes on Google before asking these sorts of questions.
I did spend 5 minutes on google. Then, exams happened. Next time I'll write please in all caps seven times to make you happy.
By Anonymous Coward (71.112.37.6) on
o OpenVPN* -- I've been told it works well (a guy who works for me uses it from home as well as between his cube and the lab; he swears by it as well as a few other people as well). I don't really see it scaling for the home user since there's undoubtedly client installation issues that'll drive you bats***. I'm not sure how well it does with the kiosk (AKA -- VPNing in from Starbucks at Barnes and Noble) use case.
o IPSec -- works really well and is generally performant and scalable (NB: at the high end, you'll probably get encryption hardware support on the server which seriously helps performance and scalability; same thing's true for the SSLVPN solutions as well). I'm not sure what the gold standard is in this space for authentication and authorization but I'd bet it's pretty high. That said, it would be a great solution if deploying it to the client didn't blow goats. From my perspective, it's good for the datacenter to datacenter area or a hub'n'spoke installation from the branch office.
o SSLVPN solutions from, say, F5, Juniper, Aventail or Citrix. They're mad easy to deploy and generally work pretty well (some vendors allow you more than a straight Layer3 solution and provide customizable application proxies; not my personal favorite feature). Currently, their primary downside is scalability and performance at the low end since they don't have sophisticated SSL implementations. Talking about sh** I barely understand, I understand most vendors have good PKI and AD support since it's pretty much an ante for the business (I work in a related business that currently has substantially less demanding authentication and authorization requirements). That said, if you've any DC-DC reqs or satellite offices involved, you'll need to plan for additional infrastructure unless your needs are minimal since these aren't designed for this sort of access.
o I'm honestly unsure of the open source choices available beyond OpenVPN. I suspect you could put something together but your users will hate it if it doesn't have some sort of single sign on support (in my *limited* experience, non-trivial with opensource stuff since it's even less sexy than working on an installer so current offerings bite) while your follow-on maintainers will hate you if you put something together on the cheap without documenting the sh** out of it and future-proofing the design for scalability (NB: this is true no matter what solution you take but can be especially problematic for home-grown solutions).
*Last time I looked at it, OpenVPN was actively against deployment via the browser. If their ideology's changed, client installation issues should be manageable.
By rcoder (134.10.15.8) rcoder@gmail.com on http://rcoder.net/
At the university where I work, we use a Linux-based Apache/mod_proxy setup that authenticates using Cosign, which is a very nice Kerberos-backed single-sign-on module that integrates into the normal Apache auth module stack.
OpenBSD is fairly well-supported by Cosign, and using it means that most users will be prompted at most once per day for their password, without having to let their browser save their login password.
Basically, Cosign emulates the underlying Kerberos model of having users send their password only to a single trusted login host, then getting a short-lived local "ticket." That ticket can then be passed to other servers for authentication without letting them to see your password.
Under no circumstances should you use NTLM auth; that's a recipe for password-sniffing, and increasingly being deprecated even in all-MS shops.
Check out http://weblogin.org/ if you want to know more about Cosign.