Date: Wed, 24 Sep 2003 19:18:07 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <20030924191807.D18252@seekingfire.com> In-Reply-To: <20030924153355.T55021@walter>; from freebsd-security@dfmm.org on Wed, Sep 24, 2003 at 03:56:56PM -0700 References: <bks9kq$46u$1@sea.gmane.org> <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924153355.T55021@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 24, 2003 at 03:56:56PM -0700, Jason Stone wrote:
> > > > 1.) Kerberos
> > >
> > > krb is nice, but the problem with it is that all of your applications need
> > > to be kerberized
> >
> > but isn't that true of any auth mechanism?
>
> Other auth methods use more generic interfaces that already exist.
>
> Many/most unix systems/applications are pam aware nowadays, which means
> that any auth system which already has pam modules can be dropped in
> without modifying the apps. And nis is integrated into the libc, so that
> traditional manual authentication (eg, using getpwnam(3) and friends) will
> use nis transparently.
You can use PAM with Kerberos, though it's by no means necessary.
> Also, while kerberos is used for authentication, as far as I understand
> it, kerberos provide no means for distributing a username-to-uid map, so
> you would still have to use nis or something for that. (Someone correct
> me if I'm way off here....)
That's correct. It does authentication, not authorization. It's a
feature - I can use NIS on my server, you can use LDAP on your server,
Bob can use /etc/passwd with disabled passwords on his server.
Flexible mapping schemes allow neat tricks like cross-realm trusts with
Active Directory and secondary user databases ("if not in NIS fall back
to corporate LDAP", etc).
> > > > 5.) NIS/NIS+
> > >
> > > NIS is at a bit of a disadvantage due to the unencrypted transport
> > > of information. Although MD5 hashes in the passwd databases make
> > > passwords harder to crack, usernames and group memberships may still be
> > > retrieved with little difficulty
>
> Well, it's worse than that - since the packets are not authenticated in
> any way, an active attacker doesn't need to crack passwords - he can just
> inject his own packets which can have crypted passwords that he knows.
>
> If you use ipsec and a well-known nis server (as opposed to the easy way
> of just using broadcast), then maybe nis isn't so weak. And all os's and
> network gear support ipsec by now, right?
Which is why I use NIS with Kerberos - the passwords aren't in the NIS
maps and injected fake users won't be authenticated by Kerberos.
-T
--
The phrase "we (I) (you) simply must..." designates something that need
not be done. "That goes without saying," is a red warning. "Of
course..."means you had best check it yourself. And if "everybody
knows" such-and-such, then it ain't so, by at least ten thousand to one.
- Robert Heinlein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030924191807.D18252>