From owner-freebsd-security  Tue Apr  9  9:16:37 2002
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 5932C37B404
	for <freebsd-security@freebsd.org>; Tue,  9 Apr 2002 09:16:32 -0700 (PDT)
Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id B125010; Tue,  9 Apr 2002 11:16:31 -0500 (CDT)
Received: (from nectar@localhost)
	by madman.nectar.cc (8.11.6/8.11.6) id g39GGSw48638;
	Tue, 9 Apr 2002 11:16:28 -0500 (CDT)
	(envelope-from nectar)
Date: Tue, 9 Apr 2002 11:16:28 -0500
From: "Jacques A. Vidrine" <nectar@freebsd.org>
To: Bruce M Simpson <bms@spc.org>
Cc: "Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
Subject: Re: Centralized authentication
Message-ID: <20020409161628.GK19961@madman.nectar.cc>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Bruce M Simpson <bms@spc.org>,
	"Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020409153029.B10593@spc.org>
User-Agent: Mutt/1.3.28i
X-Url: http://www.nectar.cc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote:
> What pam_ldap will give you is a means of securely
> verifying a user's password,

s/securely/insecurely/

unless you are using SSL to protect your LDAP connection, and you are
verifying certificates.  In which case your response time is probably
not very nice.

However, the suggested approach can be modified in a useful fashion:
use NIS+ for group, passwd files.  Disable passwords in NIS+ (e.g. use
`*' in the password field).  Use Kerberos for authentication.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message