From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 17:02:15 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E435116A4BF for ; Mon, 8 Sep 2003 17:02:15 -0700 (PDT) Received: from mail.andrewpea.com (mail.andrewpea.com [216.43.26.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32B4C43FBD for ; Mon, 8 Sep 2003 17:02:12 -0700 (PDT) (envelope-from pea@andrewpea.com) Received: from localhost (localhost.andrewpea.com [127.0.0.1]) by mail.andrewpea.com (Postfix) with ESMTP id A942D2FAA9; Mon, 8 Sep 2003 18:51:08 -0500 (CDT) Received: from [192.168.10.11] (bruce.andrewpea.com [192.168.10.11]) by mail.andrewpea.com (Postfix) with ESMTP id DC24B2FAA7; Mon, 8 Sep 2003 18:51:02 -0500 (CDT) Date: Mon, 08 Sep 2003 19:02:06 -0500 From: Bruce Pea To: Tillman Hodgson , freebsd-questions@freebsd.org Message-ID: <42065386.1063047726@[192.168.10.11]> In-Reply-To: <20030908161045.C11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> X-Mailer: Mulberry/3.1.0b6 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: by AMaViS perl-11 Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 00:02:16 -0000 --On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson wrote: > On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: >> I'm building a new network for my company. > > Right on! > >> I need centralized authentication and looked after LDAP to achieve >> this. > > It's a good thing you're designing this /now/ rather than trying to > graft it on later. It's not as simple as it seems. > >> Unfortunately, there are 2 points that make me wonder the good use of >> it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for >> production use 2. I really don't feel confident with LDAP > > For many networks LDAP can be overkill. > >> So, I was thinking about using NIS instead, with which I feel much >> more confident. I understand it is really not secure, so I was >> looking about more information on this: why is is unsecure, does it >> send password in clear text? > > No, but it sends them in an easily broken format. It's exactly the same > situation as a DES /etc/passwd file in the days before > master.passwd/shadow passwd files. This can be fixed by combining NIS > with Kerberos. > > Another large problem is that clients used to "broadcast" for NIS > servers and trust the first server to answer. this can be fixed by > telling the clients to contact only specific servers for NIS > information. > >> ? >> Does anyone know a solution for securing NIS, using ssh or encrypted >> tunnels or anything... I am open to any new idea :) > > IPsec can fix the network sniffing problem, though Kerberos can do that > as well and comes with many other advantages. > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > cats pajamas :-) Hey Tilman, This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this?? Thanks - Bruce