From owner-freebsd-security Sun Apr 7 10:35:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from slc.edu (weir-01c.slc.edu [207.106.89.46]) by hub.freebsd.org (Postfix) with ESMTP id 911DD37B416 for ; Sun, 7 Apr 2002 10:35:51 -0700 (PDT) Received: (from anthony@localhost) by slc.edu (8.11.6/8.11.1) id g37HZb300193; Sun, 7 Apr 2002 13:35:37 -0400 (EDT) (envelope-from anthony) Date: Sun, 7 Apr 2002 13:35:37 -0400 From: Anthony Schneider To: Pieter Danhieux Cc: freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020407133536.A140@mail.slc.edu> References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> <20020407192004.5cbecd18.pdanhieux@easynet.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020407192004.5cbecd18.pdanhieux@easynet.be>; from pdanhieux@easynet.be on Sun, Apr 07, 2002 at 07:20:04PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable >=20 > NIS is a security issue, cause it sends the passwords file trough the net= work, and any user can sniff it or get it by 'ypcat passwd'. So i would sug= gest a combination of NIS and RADIUS. NIS takes care of the home directorie= s and users, and RADIUS would authenticate the users. We use it at the Univ= ersity of Gent in our little basement for 6 pc's and 50 users ... > 'ypcat passwd' does not show passwords...(it shows the usual /etc/passwd st= yle '*' in field 2). I believe, however, that if you have an improperly permed master.passwd in your /var/yp directory that that can be read by 'ypcat=20 master.passwd', but i've never tried it. on a private, small LAN, NIS can be okay, but you're right, passwords are p= assed in plaintext across the network. I'd say use Kerberos, OpenLDAP or perhaps= even NIS+ (although, i know little about NIS+, but what i do know is that securi= ty-wise it's a good bit higher on thew ladder than NIS). -Anthony. -Anthony. ----------------------------------------------- PGP key at: http://www.keyserver.net/ http://www.anthonydotcom.com/gpgkey/key.txt Home: http://www.anthonydotcom.com ----------------------------------------------- --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjywg2gACgkQ+rDjkNht5F1IDgCgm92VSbhvmmqzDLA1ZFqtYjLx 0oQAnA5vkmgzj8N6/v1uyxIQaqz7rn/z =fGAy -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message