From owner-freebsd-security  Tue Apr  9  9:52:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5E5EE37B417; Tue,  9 Apr 2002 09:52:41 -0700 (PDT)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id CAA16233;
	Wed, 10 Apr 2002 02:52:39 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200204091652.CAA16233@caligula.anu.edu.au>
Subject: Re: Centralized authentication
To: nectar@FreeBSD.ORG (Jacques A. Vidrine)
Date: Wed, 10 Apr 2002 02:52:39 +1000 (Australia/ACT)
Cc: bms@spc.org (Bruce M Simpson),
	rand@meridian-enviro.com (Douglas K. Rand),
	freebsd-security@FreeBSD.ORG
In-Reply-To: <20020409161628.GK19961@madman.nectar.cc> from "Jacques A. Vidrine" at Apr 09, 2002 11:16:28 AM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from Jacques A. Vidrine, sie said:
> 
> On Tue, Apr 09, 2002 at 03:30:29PM +0000, Bruce M Simpson wrote:
> > What pam_ldap will give you is a means of securely
> > verifying a user's password,
> 
> s/securely/insecurely/
> 
> unless you are using SSL to protect your LDAP connection, and you are
> verifying certificates.  In which case your response time is probably
> not very nice.
> 
> However, the suggested approach can be modified in a useful fashion:
> use NIS+ for group, passwd files.  Disable passwords in NIS+ (e.g. use
> `*' in the password field).  Use Kerberos for authentication.

By default, there is also a shadow map with NIS+ (or at least Solaris
has one).

You also have access rights, per field, per row, and more than just
owner, group, other with read/write/execute (unix file permissions).

The only time NIS+ is at risk is when you run it with NIS compatibility
enabled.

NIS+ is secure, is very easy to shoot yourself in the foot with and is
quite also quite complex.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message