Date: Sun, 20 Apr 1997 12:26:06 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: abelits@phobos.illtel.denver.co.us (Alex Belits) Cc: vinay@agni.nuko.com, freebsd-hackers@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Need a common passwd file among machines Message-ID: <199704201926.MAA08355@phaeton.artisoft.com> In-Reply-To: <Pine.LNX.3.95.970419224831.834C-100000@phobos.illtel.denver.co.us> from "Alex Belits" at Apr 19, 97 11:05:18 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> P.S. Is there any existing thing or at least an idea of making one that > does this thing nicer? NIS is based on rather dumb idea that to > authenticate local user one will want to go to some server and ask him > instead of IMHO more sane approach of distributing authentication > information from that server to always perform authentication locally and > never depend on some host being accessible at the time of user's login. This is the design error of the X.500, NDS, and NT models for having credentials apply to the net instead of individual machines: How do I force synchronization with someone's desktop box if they turn it off and go home? This is the same for all push-model authentication distribution services: it has a hard time working in the real world, and depends on silly ideas like "skulking" processes to push the data when they can. Meanwhile, between "skulks", the replicating tree has invalid information, and may win the "master election" for a client, and authenticate client credentials which are, in fact, "stale", and there;'s no way to stop it from happening. This is, IMO, a much bigger security hole than those cause by NIS (assuming you don't misconfigure NIS and/or don't firewall the NIS ports to the net). Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704201926.MAA08355>