Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 07 May 2002 10:42:28 -0700
From:      Cy Schubert - CITS Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        "Douglas K. Rand" <rand@meridian-enviro.com>
Cc:        Mikel King <mikel@ocsinternet.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Centralized authentication 
Message-ID:  <200205071742.g47HgSmC090516@cwsys.cwsent.com>
In-Reply-To: Message from "Douglas K. Rand" <rand@meridian-enviro.com>  of "Tue, 07 May 2002 12:23:57 CDT." <87elgnj2he.wl@delta.meridian-enviro.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <87elgnj2he.wl@delta.meridian-enviro.com>, "Douglas K. Rand" 
writes:
> What I've started on is a NIS deployment. It was pointed out to me
> that all of the pam_* stuff still won't distribute the
> non-authentication stuff for /etc/passwd (uids, gids, home
> directories, shells, etc) and it won't do /etc/group stuff either. 
> 
> I'm right now trying to decide to distribute the encrypted passwords
> with NIS or to use some other pam_* thing, perhaps pam_radius. Our
> network is well protected by firewalls, so I'm feeling fairly
> comfortable with NIS for everything except the encrypted password. 
> 
> Actually, with the MD5 encrypted passwords, I also feel somewhat
> comfortable with NIS shipping those, but I'm still thinking about
> that. 

Use NIS to distribute your maps and Kerberos to authenticate.  Here is 
an example from one of my NIS+ (Sun) networks:

foobar:*:11037:11000:foobar user - ITSD OSG:/home/foobar:/bin/bash:10248
::::::

Notice the * in the password field.  This user cannot log in without 
some other means of authentication, which in this case is Kerberos.  
Use either heimdal or KRB5, then use the pam_krb5 port.



Cheers,                          Phone:  250-387-8437
Cy Schubert                        Fax:  250-387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, CITS
Ministry of Management Services
Province of BC            
                    FreeBSD UNIX:  cy@FreeBSD.org




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205071742.g47HgSmC090516>