Date: Fri, 26 Sep 2003 10:28:54 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Tillman Hodgson <tillman@seekingfire.com> Cc: freebsd-security@freebsd.org Subject: Re: unified authentication Message-ID: <200309261728.h8QHSsX3025038@cwsys.cwsent.com> In-Reply-To: Message from Tillman Hodgson <tillman@seekingfire.com> <20030925130356.S18252@seekingfire.com>
index | next in thread | previous in thread | raw e-mail
In message <20030925130356.S18252@seekingfire.com>, Tillman Hodgson writes: > On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > > On Thu, 25 Sep 2003, Robert Watson wrote: > > > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > > access) between a set of trusted hosts, with no modifications to the > > > privileged port set, should be fairly safe against unprivileged users > > > logged into the machines. The same goes for NFS. If you break any of > > > these assumptions, then the security properties go out the window. > > > > It should probably also be noted that when using NIS in a multi-platform > > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > > FreeBSD machines only, the passwd maps are generated without password > > fields, the master.passwd maps are generated with them, and only requests > > from privileged ports (superuser requests) will be given the master.passwd > > maps (hence the comment above about modifying the privileged port set). > > Other operating systems' NIS implementations require the password fields > > to be in the passwd maps, which are available to unprivileged users. > > Or one could put something like "*" or "krb5" in the password field and > use Kerberos with NIS to obtain extra security in a cross-platform > environnment. I've been doing that for years on Solaris using MIT KRB5 and NIS+. Works like a charm. Cheers, -- Cy Schubert <Cy.Schubert@komquats.com> http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309261728.h8QHSsX3025038>