From owner-freebsd-hackers Sun Apr 20 00:55:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA10346 for hackers-outgoing; Sun, 20 Apr 1997 00:55:07 -0700 (PDT) Received: from mx.serv.net (mx.serv.net [199.201.191.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA10341; Sun, 20 Apr 1997 00:55:03 -0700 (PDT) Received: from MindBender.serv.net by mx.serv.net (8.7.5/SERV Revision: 2.30) id AAA07993; Sun, 20 Apr 1997 00:55:01 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.serv.net (8.7.5/8.7.3) with SMTP id AAA21517; Sun, 20 Apr 1997 00:54:39 -0700 (PDT) Message-Id: <199704200754.AAA21517@MindBender.serv.net> X-Authentication-Warning: MindBender.serv.net: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: "Kevin P. Neal" cc: Alex Belits , Vinay Bannai , freebsd-hackers@freebsd.org, freebsd-isp@freebsd.org Subject: Re: Need a common passwd file among machines In-reply-to: Your message of Sun, 20 Apr 97 03:27:29 -0400. <1.5.4.32.19970420072729.00975ec4@mindspring.com> Date: Sun, 20 Apr 1997 00:54:39 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >At 11:05 PM 4/19/97 -0700, Alex Belits wrote: >>P.S. Is there any existing thing or at least an idea of making one that >>does this thing nicer? NIS is based on rather dumb idea that to >>authenticate local user one will want to go to some server and ask him >>instead of IMHO more sane approach of distributing authentication >>information from that server to always perform authentication locally and >>never depend on some host being accessible at the time of user's login. > >This doesn't scale. >Well, not really. It doesn't scale at all. >At NCSU they use Hesiod+Kerberos to handle logins. This way they don't have >to keep I don't know how many hundred or thousand machines /etc/passwd files >current. >Also, they don't have passwords going on the wire in the clear -- the passwords >are handled in a safe manner by Kerberos. Along with this is the fact that >passwords are *never* stored on client machines -- a security bonus. >This is much saner than distributing /etc/passwd files everywhere, IMHO. It's a proven model that works well. Iowa State was (is) doing the same thing. Over 20,000 user accounts. Trust me, you don't want a local passwd file with 20,000 users in it. (Actually, I believe they're over 30,000 now.) I'd hate to see a site with a couple hundred thousand accounts set up like that... Hesiod distributes this really nicely. And Kerberos is about as secure as Unix can get. Together, they work way better than NIS. Look for information on these, or Project Athena, for more info. ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@MindBender.serv.net --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... -----------------------------------------------------------------------------