From owner-freebsd-questions@FreeBSD.ORG Sat Sep 13 08:01:35 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C118016A4BF for ; Sat, 13 Sep 2003 08:01:35 -0700 (PDT) Received: from astra.telenet-ops.be (astra.telenet-ops.be [195.130.132.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2CC24400B for ; Sat, 13 Sep 2003 08:01:34 -0700 (PDT) (envelope-from n.b@myrealbox.com) Received: from localhost (localhost.localdomain [127.0.0.1]) by astra.telenet-ops.be (Postfix) with SMTP id 7521F37E73; Sat, 13 Sep 2003 17:01:32 +0200 (MEST) Received: from cronos.home.vsb (d5153CAA6.kabel.telenet.be [81.83.202.166]) by astra.telenet-ops.be (Postfix) with ESMTP id B110337F2C; Sat, 13 Sep 2003 17:01:31 +0200 (MEST) From: Guy Van Sanden To: Tillman Hodgson , freebsd-questions@freebsd.org In-Reply-To: <20030912070057.E13273@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <1063359316.2838.18.camel@cronos.home.vsb> <20030912070057.E13273@seekingfire.com> Content-Type: text/plain Message-Id: <1063465291.9570.2.camel@cronos.home.vsb> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4-1tex Date: Sat, 13 Sep 2003 17:01:31 +0200 Content-Transfer-Encoding: 7bit Subject: Re: nis security (DES passwords) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2003 15:01:35 -0000 I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak: Benchmarking: Standard DES [24/32 4K]... DONE Many salts: 151603 c/s real, 169200 c/s virtual Only one salt: 152806 c/s real, 155607 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 5750 c/s real, 5940 c/s virtual Only one salt: 5630 c/s real, 5721 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 3092 c/s real, 3752 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 222 c/s real, 227 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 143462 c/s real, 153271 c/s virtual Long: 377600 c/s real, 394979 c/s virtual Benchmarking: NT LM DES [24/32 4K]... DONE Raw: 1080115 c/s real, 1125120 c/s virtual I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? On Fri, 2003-09-12 at 15:00, Tillman Hodgson wrote: > On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: > > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > > > The rough instructions are fairly simple: > > > > > > * Set up Kerberos and ensure you have a working realm > > > * Set up NIS, but set all the passwd fields to something that doesn't > > > map to a real password (I like 'krb5', others like '*') > > > > > > That's about it. It works because authentication in a Kerberized world > > > doesn't check the password field in the NIS maps anyway (or the > > > /etc/master.passwd file for that matter). Your non-Kerberos app's will > > > break for users that aren't local, but I consider the incentive to > > > replace them a benefit :-) > > > > Do you have some links to websites or so that you used to set this up? > > Not really. Kerberos and NIS are both in the Handbook, and as I > mentioned above I just changed the /var/yp/master.passwd that NIS was > working off of to have 'krb5' in the password field. > > A quick bit of Google spelunking dug up some references but no > "HowTos". The RedHat Security Guide mentions it explicitly in the NIS > section, for example. > > > I'm very interested in this setup, with the added complication that the > > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD > > (5.0). > > Normally NIS is a pain between different Unix implementations (due to > the different passwd designs such as DES vs. MD5). When using Kerberos > to handle the authentication, those problems go away. On the other > handle, you get to learn how to install NIS and Kerberos on multiple > operating systems :-) > > -T