Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Mar 1996 07:36:08 +1100 (EDT)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        owensc@enc.edu (Charles Owens)
Cc:        freebsd-security@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: NIS and Kerberos interaction
Message-ID:  <199603262034.MAA14432@freefall.freebsd.org>
In-Reply-To: <Pine.BSF.3.91.960326085908.19393E-100000@itsdsv1.enc.edu> from "Charles Owens" at Mar 26, 96 09:34:55 am

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Charles Owens, sie said:
> 
> I expect to begin playing with Kerberos soon and have some questions 
> regarding how it relates to NIS.  I'm currently using NIS to distribute 
> password info between FreeBSD servers.
> 
> o What of NIS's functions can be handled by Kerberos?  What can't?

The passwd map, or more specifically, the passwd map password entries.
Everything else can't.  Kerberos is about authentication, not providing
directory services.

> o Related to the above, if program X is used to using the system password 
> 	database (which may or may not be NIS-based), how does Kerberos change 
> 	the picture?  With Kerberos present, will program X automagically
> 	access the Kerberos system, or is this functionality best 
> 	achieved with some sort of NIS/Kerberos coexistance?  (I've found
> 	a vague reference that hinted that this is what is necessary.)

Programs need to be Kerberos aware (ie use the GSS API) before they can
take advantage of its presense.  You need a new version of login (klogin),
passwd (kpasswd) and all of telnet, rsh, rlogin along with their daemons.
These are usually packaged as part of a standard kit to make your network
safer.

> o In answering these issues, what things must I think about if I'm concerned
> 	with the prospect of scaling this system to 1000 users and beyond.
> 	(I'm quite serious about this!)

You may find that over a certain point, the hash tables used for Kerberos
are inefficient.  In using a commercial product under Solaris, we had the
option of moving to what they call the "c-tree" release.

You may also want to setup a slave security server.

> o Are there and good, comprehensive books about Kerberos?  I've found
> 	some papers, but they are mostly conceptual and don't get into
> 	the actual implementation details.

What version ?  Kerberos 4 & 5 are quite different, and you want to be
using 5 and not 4.  I've found the RFC sufficiently detailed (RFC1510),
but there are errata waiting for a new RFC and the GSS API is documented
elsewhere.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603262034.MAA14432>