Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Apr 1997 12:26:06 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        abelits@phobos.illtel.denver.co.us (Alex Belits)
Cc:        vinay@agni.nuko.com, freebsd-hackers@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG
Subject:   Re: Need a common passwd file among machines
Message-ID:  <199704201926.MAA08355@phaeton.artisoft.com>
In-Reply-To: <Pine.LNX.3.95.970419224831.834C-100000@phobos.illtel.denver.co.us> from "Alex Belits" at Apr 19, 97 11:05:18 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> P.S. Is there any existing thing or at least an idea of making one that
> does this thing nicer? NIS is based on rather dumb idea that to
> authenticate local user one will want to go to some server and ask him
> instead of IMHO more sane approach of distributing authentication
> information from that server to always perform authentication locally and
> never depend on some host being accessible at the time of user's login.

This is the design error of the X.500, NDS, and NT models for
having credentials apply to the net instead of individual machines:

How do I force synchronization with someone's desktop box if they
turn it off and go home?

This is the same for all push-model authentication distribution
services: it has a hard time working in the real world, and depends
on silly ideas like "skulking" processes to push the data when they
can.

Meanwhile, between "skulks", the replicating tree has invalid
information, and may win the "master election" for a client, and
authenticate client credentials which are, in fact, "stale", and
there;'s no way to stop it from happening.

This is, IMO, a much bigger security hole than those cause by
NIS (assuming you don't misconfigure NIS and/or don't firewall
the NIS ports to the net).


					Regards,
					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704201926.MAA08355>