From owner-freebsd-security@FreeBSD.ORG  Thu Sep 25 09:01:09 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89E8316A4B3
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:01:09 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A162343FCB
	for <freebsd-security@freebsd.org>;
	Thu, 25 Sep 2003 09:01:08 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h8PG0mgL050686;
	Thu, 25 Sep 2003 12:00:48 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h8PG0m1Z050683;
	Thu, 25 Sep 2003 12:00:48 -0400 (EDT)
Date: Thu, 25 Sep 2003 12:00:48 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Jesse Guardiani <jesse@wingnet.net>
In-Reply-To: <Pine.NEB.3.96L.1030925115333.50146C-100000@fledge.watson.org>
Message-ID: <Pine.NEB.3.96L.1030925115754.50146E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: unified authentication
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Sep 2003 16:01:09 -0000


On Thu, 25 Sep 2003, Robert Watson wrote:

> Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
> due to a lack of complete NSS support--to do this directly, you'd need
> to run 5.x.  My understanding is that some sites dump their LDAP
> databases to NIS databases and share them on the FreeBSD side using NIS,
> which is also a reasonable (if less secure) solution.  If you just want
> to use Kerberos5 for password sharing, 4.x should be no problem at all. 

Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
access) between a set of trusted hosts, with no modifications to the
privileged port set, should be fairly safe against unprivileged users
logged into the machines.  The same goes for NFS. If you break any of
these assumptions, then the security properties go out the window.

Another popular solution, if your password files/etc don't change all that
frequently, is to push/pull them over cryptographically protected
protocols.  I.e., to poll using https, or push using ssh.  By distributing
(in a manner of speaking) the passwords themselves using Kerberos5, most
sites have a pretty slow rate of change for password files. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories