From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 15:10:50 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC23D16A4BF for ; Mon, 8 Sep 2003 15:10:50 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B02544001 for ; Mon, 8 Sep 2003 15:10:47 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 51F1B24B for ; Mon, 8 Sep 2003 16:10:45 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h88MAjL30895 for freebsd-questions@freebsd.org; Mon, 8 Sep 2003 16:10:45 -0600 Date: Mon, 8 Sep 2003 16:10:45 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20030908161045.C11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200309082359.07548.ajacoutot@lphp.org>; from ajacoutot@lphp.org on Mon, Sep 08, 2003 at 11:59:04PM +0200 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 22:10:50 -0000 On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: > I'm building a new network for my company. Right on! > I need centralized authentication and looked after LDAP to achieve this. It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems. > Unfortunately, there are 2 points that make me wonder the good use of it: > 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use > 2. I really don't feel confident with LDAP For many networks LDAP can be overkill. > So, I was thinking about using NIS instead, with which I feel much more > confident. I understand it is really not secure, so I was looking about more > information on this: why is is unsecure, does it send password in clear text? No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos. Another large problem is that clients used to "broadcast" for NIS servers and trust the first server to answer. this can be fixed by telling the clients to contact only specific servers for NIS information. > ? > Does anyone know a solution for securing NIS, using ssh or encrypted tunnels > or anything... I am open to any new idea :) IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages. I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) -T -- To give your sheep or cow a large spacious meadow is the way to control him. Shunryu Suzuki