Date: Mon, 08 Sep 2003 19:02:06 -0500 From: Bruce Pea <pea@andrewpea.com> To: Tillman Hodgson <tillman@seekingfire.com>, freebsd-questions@freebsd.org Subject: Re: nis security Message-ID: <42065386.1063047726@[192.168.10.11]> In-Reply-To: <20030908161045.C11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson <tillman@seekingfire.com> wrote: > On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: >> I'm building a new network for my company. > > Right on! > >> I need centralized authentication and looked after LDAP to achieve >> this. > > It's a good thing you're designing this /now/ rather than trying to > graft it on later. It's not as simple as it seems. > >> Unfortunately, there are 2 points that make me wonder the good use of >> it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for >> production use 2. I really don't feel confident with LDAP > > For many networks LDAP can be overkill. > >> So, I was thinking about using NIS instead, with which I feel much >> more confident. I understand it is really not secure, so I was >> looking about more information on this: why is is unsecure, does it >> send password in clear text? > > No, but it sends them in an easily broken format. It's exactly the same > situation as a DES /etc/passwd file in the days before > master.passwd/shadow passwd files. This can be fixed by combining NIS > with Kerberos. > > Another large problem is that clients used to "broadcast" for NIS > servers and trust the first server to answer. this can be fixed by > telling the clients to contact only specific servers for NIS > information. > >> ? >> Does anyone know a solution for securing NIS, using ssh or encrypted >> tunnels or anything... I am open to any new idea :) > > IPsec can fix the network sniffing problem, though Kerberos can do that > as well and comes with many other advantages. > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > cats pajamas :-) Hey Tilman, This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? Thanks - Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42065386.1063047726>