From owner-freebsd-questions@FreeBSD.ORG Fri Sep 12 06:01:00 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9162A16A4BF for ; Fri, 12 Sep 2003 06:01:00 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8569343FE0 for ; Fri, 12 Sep 2003 06:00:59 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 2EC3F93 for ; Fri, 12 Sep 2003 07:00:58 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8CD0vS16368 for freebsd-questions@freebsd.org; Fri, 12 Sep 2003 07:00:57 -0600 Date: Fri, 12 Sep 2003 07:00:57 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20030912070057.E13273@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <1063359316.2838.18.camel@cronos.home.vsb> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1063359316.2838.18.camel@cronos.home.vsb>; from n.b@myrealbox.com on Fri, Sep 12, 2003 at 11:35:16AM +0200 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2003 13:01:00 -0000 On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > > The rough instructions are fairly simple: > > > > * Set up Kerberos and ensure you have a working realm > > * Set up NIS, but set all the passwd fields to something that doesn't > > map to a real password (I like 'krb5', others like '*') > > > > That's about it. It works because authentication in a Kerberized world > > doesn't check the password field in the NIS maps anyway (or the > > /etc/master.passwd file for that matter). Your non-Kerberos app's will > > break for users that aren't local, but I consider the incentive to > > replace them a benefit :-) > > Do you have some links to websites or so that you used to set this up? Not really. Kerberos and NIS are both in the Handbook, and as I mentioned above I just changed the /var/yp/master.passwd that NIS was working off of to have 'krb5' in the password field. A quick bit of Google spelunking dug up some references but no "HowTos". The RedHat Security Guide mentions it explicitly in the NIS section, for example. > I'm very interested in this setup, with the added complication that the > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD > (5.0). Normally NIS is a pain between different Unix implementations (due to the different passwd designs such as DES vs. MD5). When using Kerberos to handle the authentication, those problems go away. On the other handle, you get to learn how to install NIS and Kerberos on multiple operating systems :-) -T -- Some never participate. Life happens to them. They get by on little more than dumb persistence and resist with anger or violence all things that might lift them out of resentment-filled illusions of security. - Alma Mavis Taraza