From owner-freebsd-questions@FreeBSD.ORG Mon Sep 8 17:15:31 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE22216A4C0 for ; Mon, 8 Sep 2003 17:15:31 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18CD943F3F for ; Mon, 8 Sep 2003 17:15:31 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 5B4D424B for ; Mon, 8 Sep 2003 18:15:30 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h890FUd31653 for freebsd-questions@freebsd.org; Mon, 8 Sep 2003 18:15:30 -0600 Date: Mon, 8 Sep 2003 18:15:30 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20030908181529.P11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42065386.1063047726@[192.168.10.11]>; from pea@andrewpea.com on Mon, Sep 08, 2003 at 07:02:06PM -0500 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 00:15:32 -0000 On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote: > >> Does anyone know a solution for securing NIS, using ssh or encrypted > >> tunnels or anything... I am open to any new idea :) > > > > IPsec can fix the network sniffing problem, though Kerberos can do that > > as well and comes with many other advantages. > > > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > > cats pajamas :-) > > > Hey Tilman, s/l/ll/ :-) > This sounds exactly like what we are looking for. Can you point us to any > docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) You can get fancy and make a nice little Makefile to do all kinds of maintenance tasks for you (I'm just about finished tying in Mailman into the central auth for the rospa.ca domain). You can try some of the neater features of NIS (netgroups, etc) or fiddle with the config of Kerberos (I like longer ticket lifetimes), but the basic "get it working" stuff isn't complicated. -T -- When a person is confused, he sees east as west. When he is enlightened, west itself is east. Ta-Hui