Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Apr 1997 00:54:39 -0700
From:      "Michael L. VanLoon -- HeadCandy.com" <michaelv@MindBender.serv.net>
To:        "Kevin P. Neal" <kpneal@pobox.com>
Cc:        Alex Belits <abelits@phobos.illtel.denver.co.us>, Vinay Bannai <vinay@agni.nuko.com>, freebsd-hackers@freebsd.org, freebsd-isp@freebsd.org
Subject:   Re: Need a common passwd file among machines 
Message-ID:  <199704200754.AAA21517@MindBender.serv.net>
In-Reply-To: Your message of Sun, 20 Apr 97 03:27:29 -0400. <1.5.4.32.19970420072729.00975ec4@mindspring.com> 

next in thread | previous in thread | raw e-mail | index | archive | help

>At 11:05 PM 4/19/97 -0700, Alex Belits wrote:
>>P.S. Is there any existing thing or at least an idea of making one that
>>does this thing nicer? NIS is based on rather dumb idea that to
>>authenticate local user one will want to go to some server and ask him
>>instead of IMHO more sane approach of distributing authentication
>>information from that server to always perform authentication locally and
>>never depend on some host being accessible at the time of user's login.
>
>This doesn't scale.
>Well, not really.

It doesn't scale at all.

>At NCSU they use Hesiod+Kerberos to handle logins. This way they don't have
>to keep I don't know how many hundred or thousand machines /etc/passwd files
>current.
>Also, they don't have passwords going on the wire in the clear -- the passwords
>are handled in a safe manner by Kerberos. Along with this is the fact that
>passwords are *never* stored on client machines -- a security bonus.
>This is much saner than distributing /etc/passwd files everywhere, IMHO.

It's a proven model that works well.  Iowa State was (is) doing the
same thing.  Over 20,000 user accounts.  Trust me, you don't want a
local passwd file with 20,000 users in it.  (Actually, I believe
they're over 30,000 now.)  I'd hate to see a site with a couple
hundred thousand accounts set up like that...

Hesiod distributes this really nicely.  And Kerberos is about as
secure as Unix can get.  Together, they work way better than NIS.
Look for information on these, or Project Athena, for more info.

-----------------------------------------------------------------------------
  Michael L. VanLoon                           michaelv@MindBender.serv.net
        --<  Free your mind and your machine -- NetBSD free un*x  >--
    NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3,
        Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32...
    NetBSD ports in progress: PICA, others...
-----------------------------------------------------------------------------



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704200754.AAA21517>