Date: Wed, 10 Apr 2002 02:52:39 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: nectar@FreeBSD.ORG (Jacques A. Vidrine) Cc: bms@spc.org (Bruce M Simpson), rand@meridian-enviro.com (Douglas K. Rand), freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <200204091652.CAA16233@caligula.anu.edu.au> In-Reply-To: <20020409161628.GK19961@madman.nectar.cc> from "Jacques A. Vidrine" at Apr 09, 2002 11:16:28 AM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Jacques A. Vidrine, sie said: > > On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote: > > What pam_ldap will give you is a means of securely > > verifying a user's password, > > s/securely/insecurely/ > > unless you are using SSL to protect your LDAP connection, and you are > verifying certificates. In which case your response time is probably > not very nice. > > However, the suggested approach can be modified in a useful fashion: > use NIS+ for group, passwd files. Disable passwords in NIS+ (e.g. use > `*' in the password field). Use Kerberos for authentication. By default, there is also a shadow map with NIS+ (or at least Solaris has one). You also have access rights, per field, per row, and more than just owner, group, other with read/write/execute (unix file permissions). The only time NIS+ is at risk is when you run it with NIS compatibility enabled. NIS+ is secure, is very easy to shoot yourself in the foot with and is quite also quite complex. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204091652.CAA16233>