Date: Sat, 13 Sep 2003 17:01:31 +0200 From: Guy Van Sanden <n.b@myrealbox.com> To: Tillman Hodgson <tillman@seekingfire.com>, freebsd-questions@freebsd.org Subject: Re: nis security (DES passwords) Message-ID: <1063465291.9570.2.camel@cronos.home.vsb> In-Reply-To: <20030912070057.E13273@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <1063359316.2838.18.camel@cronos.home.vsb> <20030912070057.E13273@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: Benchmarking: Standard DES [24/32 4K]... DONE Many salts: 151603 c/s real, 169200 c/s virtual Only one salt: 152806 c/s real, 155607 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 5750 c/s real, 5940 c/s virtual Only one salt: 5630 c/s real, 5721 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 3092 c/s real, 3752 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 222 c/s real, 227 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 143462 c/s real, 153271 c/s virtual Long: 377600 c/s real, 394979 c/s virtual Benchmarking: NT LM DES [24/32 4K]... DONE Raw: 1080115 c/s real, 1125120 c/s virtual I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? On Fri, 2003-09-12 at 15:00, Tillman Hodgson wrote: > On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: > > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > > > The rough instructions are fairly simple: > > > > > > * Set up Kerberos and ensure you have a working realm > > > * Set up NIS, but set all the passwd fields to something that doesn't > > > map to a real password (I like 'krb5', others like '*') > > > > > > That's about it. It works because authentication in a Kerberized world > > > doesn't check the password field in the NIS maps anyway (or the > > > /etc/master.passwd file for that matter). Your non-Kerberos app's will > > > break for users that aren't local, but I consider the incentive to > > > replace them a benefit :-) > > > > Do you have some links to websites or so that you used to set this up? > > Not really. Kerberos and NIS are both in the Handbook, and as I > mentioned above I just changed the /var/yp/master.passwd that NIS was > working off of to have 'krb5' in the password field. > > A quick bit of Google spelunking dug up some references but no > "HowTos". The RedHat Security Guide mentions it explicitly in the NIS > section, for example. > > > I'm very interested in this setup, with the added complication that the > > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD > > (5.0). > > Normally NIS is a pain between different Unix implementations (due to > the different passwd designs such as DES vs. MD5). When using Kerberos > to handle the authentication, those problems go away. On the other > handle, you get to learn how to install NIS and Kerberos on multiple > operating systems :-) > > -T
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1063465291.9570.2.camel>