Date: Wed, 24 Sep 2003 15:56:56 -0700 (PDT) From: Jason Stone <freebsd-security@dfmm.org> To: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <20030924153355.T55021@walter> In-Reply-To: <200309241555.30825.jesse@wingnet.net> References: <bks9kq$46u$1@sea.gmane.org> <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > 1.) Kerberos > > > > krb is nice, but the problem with it is that all of your applications need > > to be kerberized > > but isn't that true of any auth mechanism? Other auth methods use more generic interfaces that already exist. Many/most unix systems/applications are pam aware nowadays, which means that any auth system which already has pam modules can be dropped in without modifying the apps. And nis is integrated into the libc, so that traditional manual authentication (eg, using getpwnam(3) and friends) will use nis transparently. Also, while kerberos is used for authentication, as far as I understand it, kerberos provide no means for distributing a username-to-uid map, so you would still have to use nis or something for that. (Someone correct me if I'm way off here....) > > > 5.) NIS/NIS+ > > > > NIS is at a bit of a disadvantage due to the unencrypted transport > > of information. Although MD5 hashes in the passwd databases make > > passwords harder to crack, usernames and group memberships may still be > > retrieved with little difficulty Well, it's worse than that - since the packets are not authenticated in any way, an active attacker doesn't need to crack passwords - he can just inject his own packets which can have crypted passwords that he knows. If you use ipsec and a well-known nis server (as opposed to the easy way of just using broadcast), then maybe nis isn't so weak. And all os's and network gear support ipsec by now, right? > > Since you have cisco devices, you may want to look at pam_tacplus. I like tacacs better than radius, but be aware that different devices may have differing notions of what the tacacs privelege levels mean. For example, I used to have cisco and foundry gear, both of which spoke tacacs, but on one, the numeric privelege levels went from low to high with increased priveleges, and on the other, it went from high to low. foundry has since change their stuff to be compatible with cisco, so maybe this isn't an issue any more, but be aware that it might be. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/ciE4swXMWWtptckRAk6LAKD01tOR2AHrVslLtDk2b5M6tdZ0wQCfR8Rr Ts08vo0WMGMeA9/HNScYd7w= =ZHad -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030924153355.T55021>