From owner-freebsd-security@FreeBSD.ORG Wed Sep 24 18:18:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0B2316A4B3 for ; Wed, 24 Sep 2003 18:18:09 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1F5F44001 for ; Wed, 24 Sep 2003 18:18:08 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id AB067123 for ; Wed, 24 Sep 2003 19:18:07 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8P1I7h22740 for freebsd-security@freebsd.org; Wed, 24 Sep 2003 19:18:07 -0600 Date: Wed, 24 Sep 2003 19:18:07 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030924191807.D18252@seekingfire.com> References: <20030924122724.V31322@localhost> <200309241555.30825.jesse@wingnet.net> <20030924153355.T55021@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030924153355.T55021@walter>; from freebsd-security@dfmm.org on Wed, Sep 24, 2003 at 03:56:56PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 01:18:09 -0000 On Wed, Sep 24, 2003 at 03:56:56PM -0700, Jason Stone wrote: > > > > 1.) Kerberos > > > > > > krb is nice, but the problem with it is that all of your applications need > > > to be kerberized > > > > but isn't that true of any auth mechanism? > > Other auth methods use more generic interfaces that already exist. > > Many/most unix systems/applications are pam aware nowadays, which means > that any auth system which already has pam modules can be dropped in > without modifying the apps. And nis is integrated into the libc, so that > traditional manual authentication (eg, using getpwnam(3) and friends) will > use nis transparently. You can use PAM with Kerberos, though it's by no means necessary. > Also, while kerberos is used for authentication, as far as I understand > it, kerberos provide no means for distributing a username-to-uid map, so > you would still have to use nis or something for that. (Someone correct > me if I'm way off here....) That's correct. It does authentication, not authorization. It's a feature - I can use NIS on my server, you can use LDAP on your server, Bob can use /etc/passwd with disabled passwords on his server. Flexible mapping schemes allow neat tricks like cross-realm trusts with Active Directory and secondary user databases ("if not in NIS fall back to corporate LDAP", etc). > > > > 5.) NIS/NIS+ > > > > > > NIS is at a bit of a disadvantage due to the unencrypted transport > > > of information. Although MD5 hashes in the passwd databases make > > > passwords harder to crack, usernames and group memberships may still be > > > retrieved with little difficulty > > Well, it's worse than that - since the packets are not authenticated in > any way, an active attacker doesn't need to crack passwords - he can just > inject his own packets which can have crypted passwords that he knows. > > If you use ipsec and a well-known nis server (as opposed to the easy way > of just using broadcast), then maybe nis isn't so weak. And all os's and > network gear support ipsec by now, right? Which is why I use NIS with Kerberos - the passwords aren't in the NIS maps and injected fake users won't be authenticated by Kerberos. -T -- The phrase "we (I) (you) simply must..." designates something that need not be done. "That goes without saying," is a red warning. "Of course..."means you had best check it yourself. And if "everybody knows" such-and-such, then it ain't so, by at least ten thousand to one. - Robert Heinlein