From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 13:50:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9396816A4B3 for ; Wed, 24 Sep 2003 13:50:31 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFCF544025 for ; Wed, 24 Sep 2003 13:50:29 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 3EF5C15D for ; Wed, 24 Sep 2003 14:50:29 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8OKoTU21753 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 14:50:29 -0600 Date: Wed, 24 Sep 2003 14:50:29 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924145029.V18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200309241555.30825.jesse@wingnet.net>; from jesse@wingnet.net on Wed, Sep 24, 2003 at 03:55:30PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:50:31 -0000 On Wed, Sep 24, 2003 at 03:55:30PM -0400, Jesse Guardiani wrote: > Well, I'm currently trying to decide between these then: > > Kerberos > RADIUS > LDAP (OpenLDAP only. I don't have a proprietary LDAP solution.) > TACACS > pam_smb, possibly. These aren't necessarily mutually exclusive. > I'm ruling out NIS/NIS+ because: > -------------------------------- > 1.) I'd like something with decent cyptography built in. That's why I conceptually > like Kerberos. > 2.) AFAIK, no Cisco support. NIS (for authorization info) with Kerberos 5 (for authentication) provides decent cryptography and wide platform support. Cisco supports Kerberos. > Once I get authentication working, how do I handle > the creation of home directories and basic user > files across multiple machines? > > Do I need to start running NFS, or is there a more > elegant solution? OpenAFS, very elegant solution. Unfortunately, it doesn't work on FreeBSD yet (or anymore as a client). -T -- The beauty of the democratic systems of thought control, as contrasted with their clumsy totalitarian counterparts, is that they operate by subtly establishing on a voluntary basis - aided by the force of nationalism and media control by substantial interests - presuppositions that set the limits of debate, rather than by imposing beliefs with a bludgeon. - Noam Chomsky, _After the Cataclysm_