Date: Mon, 8 Sep 2003 18:15:30 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: nis security Message-ID: <20030908181529.P11841@seekingfire.com> In-Reply-To: <42065386.1063047726@[192.168.10.11]>; from pea@andrewpea.com on Mon, Sep 08, 2003 at 07:02:06PM -0500 References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote: > >> Does anyone know a solution for securing NIS, using ssh or encrypted > >> tunnels or anything... I am open to any new idea :) > > > > IPsec can fix the network sniffing problem, though Kerberos can do that > > as well and comes with many other advantages. > > > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > > cats pajamas :-) > > > Hey Tilman, s/l/ll/ :-) > This sounds exactly like what we are looking for. Can you point us to any > docs explaining how you do this?? The rough instructions are fairly simple: * Set up Kerberos and ensure you have a working realm * Set up NIS, but set all the passwd fields to something that doesn't map to a real password (I like 'krb5', others like '*') That's about it. It works because authentication in a Kerberized world doesn't check the password field in the NIS maps anyway (or the /etc/master.passwd file for that matter). Your non-Kerberos app's will break for users that aren't local, but I consider the incentive to replace them a benefit :-) You can get fancy and make a nice little Makefile to do all kinds of maintenance tasks for you (I'm just about finished tying in Mailman into the central auth for the rospa.ca domain). You can try some of the neater features of NIS (netgroups, etc) or fiddle with the config of Kerberos (I like longer ticket lifetimes), but the basic "get it working" stuff isn't complicated. -T -- When a person is confused, he sees east as west. When he is enlightened, west itself is east. Ta-Hui
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908181529.P11841>