Date: Thu, 25 Sep 2003 13:03:56 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <20030925130356.S18252@seekingfire.com> In-Reply-To: <20030925124655.C31322@localhost>; from mdg@secureworks.net on Thu, Sep 25, 2003 at 12:58:25PM -0400 References: <Pine.NEB.3.96L.1030925115754.50146E-100000@fledge.watson.org> <20030925124655.C31322@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > On Thu, 25 Sep 2003, Robert Watson wrote: > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > access) between a set of trusted hosts, with no modifications to the > > privileged port set, should be fairly safe against unprivileged users > > logged into the machines. The same goes for NFS. If you break any of > > these assumptions, then the security properties go out the window. > > It should probably also be noted that when using NIS in a multi-platform > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > FreeBSD machines only, the passwd maps are generated without password > fields, the master.passwd maps are generated with them, and only requests > from privileged ports (superuser requests) will be given the master.passwd > maps (hence the comment above about modifying the privileged port set). > Other operating systems' NIS implementations require the password fields > to be in the passwd maps, which are available to unprivileged users. Or one could put something like "*" or "krb5" in the password field and use Kerberos with NIS to obtain extra security in a cross-platform environnment. -T -- In the beginner's mind there are many possibilities. In the expert's mind there are few. - Suzuki-roshi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030925130356.S18252>