Date: Tue, 9 Apr 2002 16:14:11 +0000 From: Bruce M Simpson <bms@spc.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.org>, "Douglas K. Rand" <rand@meridian-enviro.com>, freebsd-security@freebsd.org Subject: Re: Centralized authentication Message-ID: <20020409161410.D10593@spc.org> In-Reply-To: <20020409161628.GK19961@madman.nectar.cc>; from nectar@freebsd.org on Tue, Apr 09, 2002 at 11:16:28AM -0500 References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> <20020409161628.GK19961@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 09, 2002 at 11:16:28AM -0500, Jacques A. Vidrine wrote: > On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > > What pam_ldap will give you is a means of securely > > verifying a user's password, > > s/securely/insecurely/ > > unless you are using SSL to protect your LDAP connection, and you are > verifying certificates. In which case your response time is probably > not very nice. Correct - anyone who sets up pam_ldap without either using a local ldapi:/// or ldaps:// transport across a network is asking for trouble. Much like the chap who believed that VLANs and switches were going to make casual sniffing a thing of the past. > However, the suggested approach can be modified in a useful fashion: > use NIS+ for group, passwd files. Disable passwords in NIS+ (e.g. use > `*' in the password field). Use Kerberos for authentication. Kerberos is extremely nice to have, but might be overkill for very small sites. BMS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409161410.D10593>