Date: Sun, 20 Apr 1997 12:49:38 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: kpneal@pobox.com (Kevin P. Neal) Cc: abelits@phobos.illtel.denver.co.us, vinay@agni.nuko.com, freebsd-hackers@freebsd.org, freebsd-isp@freebsd.org Subject: Re: Need a common passwd file among machines Message-ID: <199704201949.MAA08423@phaeton.artisoft.com> In-Reply-To: <1.5.4.32.19970420072729.00975ec4@mindspring.com> from "Kevin P. Neal" at Apr 20, 97 03:27:29 am
next in thread | previous in thread | raw e-mail | index | archive | help
> At NCSU they use Hesiod+Kerberos to handle logins. This way they don't have > to keep I don't know how many hundred or thousand machines /etc/passwd files > current. > > Also, they don't have passwords going on the wire in the clear -- the > passwords are handled in a safe manner by Kerberos. Along with this is > the fact that passwords are *never* stored on client machines -- a > security bonus. > > This is much saner than distributing /etc/passwd files everywhere, IMHO. I didn't mention Hesiod because I didn't know if it was supported on all the plaforms he has (some of them must be old if they do not have shadowing). I also didn't mention Hesiod because it's a *huge* step to take. Finally, he's already in a "vouchsafe" environment because of the NFS credentials ...unless they are using Kerberos tickets for the NFS as well, and that's even *less* likely to be able to be universally supported. I can replace user space authentication mechanisms with a lot of pain, but replacing kernel proxy authentication for a system (and probably replacing their NFS as well) is a step I wouldn't tell anyone to take. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704201949.MAA08423>