I've now read several posts discussing the security of Alpine Linux versus other Linux distributions, with a lot of the arguments boiling down to whether it's better to have a less-used but smaller footprint (Alpine) or a very widely-used but larger footprint (e.g. Debian) distribution, such as that discussed here. Personally, I don't buy that there's no security advantage in having a smaller libc (musl) - it's well-documented, after all, that larger code bases lead to more bugs, although that's at least partially balanced out by the sheer number of users that are on glibc. The small footprint has definitely been attractive to me up until now, but the difficulty of trying to get software on it has definitely made things more frustrating. Things came to a head when I was looking at better domain integration after finding that I was having some more difficulty generating a keytab on Windows Server systems, at which point I figured I could do better (something I was unable to get working on Alpine Linux).
As such, I've decided to shift over to Debian, after finding that it gets me an okay footprint (1.5 GB with swap and a bit of usable free space), although it's (not surprisingly) still larger than Alpine Linux (1 GB with swap and some usable free space). But, it's considerably smaller than what CentOS or Ubuntu can offer, particularly if only picking the "SSH server" but not the "standard system utilities" and disabling recommend packages after installation:
APT::Get::Install-Suggests "false";
I initially had a bunch of text cribbed from here about setting up libpam-krb5 for authentication/authorization, and it actually works reasonably well, although involves a number of a steps, a few of them more fiddly than I'd like. And it turns out that realmd does all this in a simpler way (at a cost of 100MB over the libpam-krb5 option). As a result, domain integration is a matter of installing a laundry list of packages:
In order to tweak a few settings, create a simple configuration file:
default-home = /home/%U
[<domain>]
fully-qualified-names = no
And then add the system to the domain:
Enable GSSAPI authentication for SSH:
GSSAPIAuthentication yes
...
And restart sshd:
We want to ensure that users have home directories on login, so tweak the PAM config, enabling "Create home directory on login":
But, the default permissions for creating a home directory are awful (umask 0022), so tweak the result to be more sane:
session optional pam_mkhomedir.so umask=0077
...
And finally, to limit the users who should have login access:
$ realm permit -g <groups>
As a final note, ESXi integration is still available via open-vm-tools.