From owner-freebsd-questions Tue Mar 26 12:34:19 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA14449 for questions-outgoing; Tue, 26 Mar 1996 12:34:19 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA14432 Tue, 26 Mar 1996 12:34:14 -0800 (PST) Message-Id: <199603262034.MAA14432@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA282752568; Wed, 27 Mar 1996 07:36:08 +1100 From: Darren Reed Subject: Re: NIS and Kerberos interaction To: owensc@enc.edu (Charles Owens) Date: Wed, 27 Mar 1996 07:36:08 +1100 (EDT) Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org In-Reply-To: from "Charles Owens" at Mar 26, 96 09:34:55 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Charles Owens, sie said: > > I expect to begin playing with Kerberos soon and have some questions > regarding how it relates to NIS. I'm currently using NIS to distribute > password info between FreeBSD servers. > > o What of NIS's functions can be handled by Kerberos? What can't? The passwd map, or more specifically, the passwd map password entries. Everything else can't. Kerberos is about authentication, not providing directory services. > o Related to the above, if program X is used to using the system password > database (which may or may not be NIS-based), how does Kerberos change > the picture? With Kerberos present, will program X automagically > access the Kerberos system, or is this functionality best > achieved with some sort of NIS/Kerberos coexistance? (I've found > a vague reference that hinted that this is what is necessary.) Programs need to be Kerberos aware (ie use the GSS API) before they can take advantage of its presense. You need a new version of login (klogin), passwd (kpasswd) and all of telnet, rsh, rlogin along with their daemons. These are usually packaged as part of a standard kit to make your network safer. > o In answering these issues, what things must I think about if I'm concerned > with the prospect of scaling this system to 1000 users and beyond. > (I'm quite serious about this!) You may find that over a certain point, the hash tables used for Kerberos are inefficient. In using a commercial product under Solaris, we had the option of moving to what they call the "c-tree" release. You may also want to setup a slave security server. > o Are there and good, comprehensive books about Kerberos? I've found > some papers, but they are mostly conceptual and don't get into > the actual implementation details. What version ? Kerberos 4 & 5 are quite different, and you want to be using 5 and not 4. I've found the RFC sufficiently detailed (RFC1510), but there are errata waiting for a new RFC and the GSS API is documented elsewhere.