From owner-freebsd-security Tue May 7 10:43:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1C0C637B40C for ; Tue, 7 May 2002 10:43:37 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA26981; Tue, 7 May 2002 10:42:51 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda26979; Tue May 7 10:42:39 2002 Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.3/8.12.3) with ESMTP id g47HgXrO003789; Tue, 7 May 2002 10:42:33 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.3/8.12.3) with ESMTP id g47HgSmC090516; Tue, 7 May 2002 10:42:28 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200205071742.g47HgSmC090516@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-Sender: schubert To: "Douglas K. Rand" Cc: Mikel King , freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication In-Reply-To: Message from "Douglas K. Rand" of "Tue, 07 May 2002 12:23:57 CDT." <87elgnj2he.wl@delta.meridian-enviro.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 07 May 2002 10:42:28 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <87elgnj2he.wl@delta.meridian-enviro.com>, "Douglas K. Rand" writes: > What I've started on is a NIS deployment. It was pointed out to me > that all of the pam_* stuff still won't distribute the > non-authentication stuff for /etc/passwd (uids, gids, home > directories, shells, etc) and it won't do /etc/group stuff either. > > I'm right now trying to decide to distribute the encrypted passwords > with NIS or to use some other pam_* thing, perhaps pam_radius. Our > network is well protected by firewalls, so I'm feeling fairly > comfortable with NIS for everything except the encrypted password. > > Actually, with the MD5 encrypted passwords, I also feel somewhat > comfortable with NIS shipping those, but I'm still thinking about > that. Use NIS to distribute your maps and Kerberos to authenticate. Here is an example from one of my NIS+ (Sun) networks: foobar:*:11037:11000:foobar user - ITSD OSG:/home/foobar:/bin/bash:10248 :::::: Notice the * in the password field. This user cannot log in without some other means of authentication, which in this case is Kerberos. Use either heimdal or KRB5, then use the pam_krb5 port. Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message