Date: Thu, 25 Sep 2003 12:00:48 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Jesse Guardiani <jesse@wingnet.net> Cc: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <Pine.NEB.3.96L.1030925115754.50146E-100000@fledge.watson.org> In-Reply-To: <Pine.NEB.3.96L.1030925115333.50146C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Sep 2003, Robert Watson wrote: > Kerberos5 should work fine; direct support for LDAP is a problem for 4.x > due to a lack of complete NSS support--to do this directly, you'd need > to run 5.x. My understanding is that some sites dump their LDAP > databases to NIS databases and share them on the FreeBSD side using NIS, > which is also a reasonable (if less secure) solution. If you just want > to use Kerberos5 for password sharing, 4.x should be no problem at all. Running NIS on a trusted IP network (i.e., no spoofing, no direct wire access) between a set of trusted hosts, with no modifications to the privileged port set, should be fairly safe against unprivileged users logged into the machines. The same goes for NFS. If you break any of these assumptions, then the security properties go out the window. Another popular solution, if your password files/etc don't change all that frequently, is to push/pull them over cryptographically protected protocols. I.e., to poll using https, or push using ssh. By distributing (in a manner of speaking) the passwords themselves using Kerberos5, most sites have a pretty slow rate of change for password files. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030925115754.50146E-100000>