From owner-freebsd-security  Tue Apr  9  9:24: 0 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail.spc.org (insomnia.spc.org [195.224.94.183])
	by hub.freebsd.org (Postfix) with SMTP id 8184937B416
	for <freebsd-security@freebsd.org>; Tue,  9 Apr 2002 09:23:47 -0700 (PDT)
Received: (qmail 11084 invoked by uid 1031); 9 Apr 2002 16:14:11 -0000
Date: Tue, 9 Apr 2002 16:14:11 +0000
From: Bruce M Simpson <bms@spc.org>
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	"Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
Subject: Re: Centralized authentication
Message-ID: <20020409161410.D10593@spc.org>
Mail-Followup-To: Bruce M Simpson <bms@spc.org>,
	"Jacques A. Vidrine" <nectar@FreeBSD.org>,
	"Douglas K. Rand" <rand@meridian-enviro.com>,
	freebsd-security@freebsd.org
References: <874riov1et.wl@delta.meridian-enviro.com> <20020409153029.B10593@spc.org> <20020409161628.GK19961@madman.nectar.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020409161628.GK19961@madman.nectar.cc>; from nectar@freebsd.org on Tue, Apr 09, 2002 at 11:16:28AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Apr 09, 2002 at 11:16:28AM -0500, Jacques A. Vidrine wrote:
> On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote:
> > What pam_ldap will give you is a means of securely
> > verifying a user's password,
> 
> s/securely/insecurely/
> 
> unless you are using SSL to protect your LDAP connection, and you are
> verifying certificates.  In which case your response time is probably
> not very nice.

Correct - anyone who sets up pam_ldap without either using a local ldapi:///
or ldaps:// transport across a network is asking for trouble.
Much like the chap who believed that VLANs and switches were going to
make casual sniffing a thing of the past.

> However, the suggested approach can be modified in a useful fashion:
> use NIS+ for group, passwd files.  Disable passwords in NIS+ (e.g. use
> `*' in the password field).  Use Kerberos for authentication.

Kerberos is extremely nice to have, but might be overkill for very small sites.

BMS

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message