Date: Sun, 12 Mar 2000 23:52:48 -0800 (PST) From: Edward Elhauge <ee@sandbox.uncanny.net> To: "Hugh Blandford" <hugh@island.net.au> Cc: freebsd-isp@freebsd.org Subject: Re: Password distribution and authentication Message-ID: <200003130752.XAA25557@sandbox.uncanny.net> In-Reply-To: <Pine.BSF.4.21.0003121349570.8203-100000@greencreek.kappaisle.com> <20000312141128.A28974@cc942873-a.ewndsr1.nj.home.com> <00f501bf8cac$832b9bc0$088ea8c0@island.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I do Hugh,
I use Kerberos for user authentication but I create a password file entry
for each user that looks something like this:
userexample:*:7777:7777::0:0:Mail only:/home/userexample:/sbin/nologin
on a mail machine and:
userexample:*:7777:7777::0:0:Test User:/home/userexample:/bin/csh
on a shell machine.
I create an entry in the groups file. I use scripts to do that for each
user. Using that system I don't need NIS at all.
The only problem now is that there doesn't exist Kerberized clients for
all applications (Kerberized servers do exist for most things). For
instance all telnet sessions are secure but there is not plug-in (as far
as I know) that will Kerberize a Netscape Messenger session.
What I've done is patch IMAP so that it looks to the Kerberos for
authentication as a client. This is less than ideal because the password
goes in the clear between Messenger and the IMAP server, but it does
centralize the password scheme. To minimize the danger I associate a
separate user entry for mail for each user. In other words there might would
be a kerberos principle (user) called userexample to be used for telnet
and FTP and another one called userexample-imap. When the IMAP server sees
an authentication call for userexample it gathers the password and tries
to authenticate userexample-imap using that password.
It works fairly well but it would be nice if Netscape and Internet
Explorer would do Kerberos authentication.
In article <00f501bf8cac$832b9bc0$088ea8c0@island.net.au> you wrote:
> Hi All,
> when ever these discussions come up, invariably someone suggests the use of
> kerberos. Have any ISPs implemented this solution across their servers?
> Have you used NIS to keep the passwords in sync? I would be most interested
> to hear what people have done in this area.
> Thanks,
> Hugh Blandford
> ----- Original Message -----
> From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
> To: "Mike" <mikey@kappaisle.com>
> Cc: <freebsd-questions@FreeBSD.ORG>; <freebsd-isp@FreeBSD.ORG>
> Sent: Monday, March 13, 2000 6:11 AM
> Subject: Re: Password distribution and authentication
>> On Sun, Mar 12, 2000 at 02:02:36PM -0500, Mike wrote:
>> > Hi everyone!
>> >
>> > Besides using NIS (which is rather an insecure way) for password/group
>> > file distribution around the servers on the network, is there any other
>> > way to accomplish a centralized or distributed password authentication
>> > task?
>> >
>> > Looking forward in hearing your replies!
>>
>> Kerberos.
>> --
>> Crist J. Clark cjclark@home.com
>>
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-isp" in the body of the message
>>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
--
Edward Elhauge <ee@uncanny.net> | "War is like love;
Uncanny Inc., San Francisco | it always finds a way."
| -- Bertold Brecht
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003130752.XAA25557>