From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 10:28:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99FCC16A4B3 for ; Fri, 26 Sep 2003 10:28:58 -0700 (PDT) Received: from mail.komquats.com (h24-108-145-252.gv.shawcable.net [24.108.145.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 738FD43FF7 for ; Fri, 26 Sep 2003 10:28:57 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by mail.komquats.com (Postfix) with ESMTP id 8DF1C824D9; Fri, 26 Sep 2003 10:28:55 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.10/8.12.8) with ESMTP id h8QHSsX3025038; Fri, 26 Sep 2003 10:28:54 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200309261728.h8QHSsX3025038@cwsys.cwsent.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Tillman Hodgson In-Reply-To: Message from Tillman Hodgson <20030925130356.S18252@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 26 Sep 2003 10:28:54 -0700 Sender: Cy.Schubert@komquats.com X-Mailman-Approved-At: Mon, 29 Sep 2003 02:32:02 -0700 cc: freebsd-security@freebsd.org Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 17:28:58 -0000 In message <20030925130356.S18252@seekingfire.com>, Tillman Hodgson writes: > On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > > On Thu, 25 Sep 2003, Robert Watson wrote: > > > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > > access) between a set of trusted hosts, with no modifications to the > > > privileged port set, should be fairly safe against unprivileged users > > > logged into the machines. The same goes for NFS. If you break any of > > > these assumptions, then the security properties go out the window. > > > > It should probably also be noted that when using NIS in a multi-platform > > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > > FreeBSD machines only, the passwd maps are generated without password > > fields, the master.passwd maps are generated with them, and only requests > > from privileged ports (superuser requests) will be given the master.passwd > > maps (hence the comment above about modifying the privileged port set). > > Other operating systems' NIS implementations require the password fields > > to be in the passwd maps, which are available to unprivileged users. > > Or one could put something like "*" or "krb5" in the password field and > use Kerberos with NIS to obtain extra security in a cross-platform > environnment. I've been doing that for years on Solaris using MIT KRB5 and NIS+. Works like a charm. Cheers, -- Cy Schubert http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/