From owner-freebsd-isp  Sun Apr 20 09:19:20 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id JAA28579
          for isp-outgoing; Sun, 20 Apr 1997 09:19:20 -0700 (PDT)
Received: from pinky.junction.net (pinky.junction.net [199.166.227.12])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA28567;
          Sun, 20 Apr 1997 09:19:17 -0700 (PDT)
Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id JAA06451; Sun, 20 Apr 1997 09:19:14 -0700
Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id JAA14535; Sun, 20 Apr 1997 09:14:17 -0700
Date: Sun, 20 Apr 1997 09:14:15 -0700 (PDT)
From: Michael Dillon <michael@memra.com>
To: freebsd-isp@FreeBSD.ORG
cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: Need a common passwd file among machines
In-Reply-To: <Pine.LNX.3.95.970419224831.834C-100000@phobos.illtel.denver.co.us>
Message-ID: <Pine.BSI.3.93.970420090935.10900D-100000@sidhe.memra.com>
Organization: Memra Software Inc. - Internet consulting
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sat, 19 Apr 1997, Alex Belits wrote:

> P.S. Is there any existing thing or at least an idea of making one that
> does this thing nicer? NIS is based on rather dumb idea that to
> authenticate local user one will want to go to some server and ask him
> instead of IMHO more sane approach of distributing authentication
> information from that server to always perform authentication locally and
> never depend on some host being accessible at the time of user's login.

RADIUS is used by terminal servers to authenticate users by "going to some
server and asking him" and you can have a backup RADIUS server in case the
primary one goes down. I think ISP's would find it easier to manage a site
using RADIUS for all authentication, not just terminal servers.

But more importantly, I think that systems need to have a hook in the
authentication procedure so that the sysadmin can install their own
allow/deny code so that certain servers can still authenticate via RADIUS
but only certain users or only at certain times of day or only logins from
the console or from certain IP addresses.

In general, OSes with source are easy to fit into this kind of a scenario
but other ones (Solaris, SCO, IRIX, NT) are not.

Michael Dillon                   -               Internet & ISP Consulting
Memra Software Inc.              -                  Fax: +1-250-546-3049
http://www.memra.com             -               E-mail: michael@memra.com