From owner-freebsd-hackers Sun Apr 20 12:29:05 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA08196 for hackers-outgoing; Sun, 20 Apr 1997 12:29:05 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.50]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA08171; Sun, 20 Apr 1997 12:28:51 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id MAA08355; Sun, 20 Apr 1997 12:26:06 -0700 From: Terry Lambert Message-Id: <199704201926.MAA08355@phaeton.artisoft.com> Subject: Re: Need a common passwd file among machines To: abelits@phobos.illtel.denver.co.us (Alex Belits) Date: Sun, 20 Apr 1997 12:26:06 -0700 (MST) Cc: vinay@agni.nuko.com, freebsd-hackers@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG In-Reply-To: from "Alex Belits" at Apr 19, 97 11:05:18 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > P.S. Is there any existing thing or at least an idea of making one that > does this thing nicer? NIS is based on rather dumb idea that to > authenticate local user one will want to go to some server and ask him > instead of IMHO more sane approach of distributing authentication > information from that server to always perform authentication locally and > never depend on some host being accessible at the time of user's login. This is the design error of the X.500, NDS, and NT models for having credentials apply to the net instead of individual machines: How do I force synchronization with someone's desktop box if they turn it off and go home? This is the same for all push-model authentication distribution services: it has a hard time working in the real world, and depends on silly ideas like "skulking" processes to push the data when they can. Meanwhile, between "skulks", the replicating tree has invalid information, and may win the "master election" for a client, and authenticate client credentials which are, in fact, "stale", and there;'s no way to stop it from happening. This is, IMO, a much bigger security hole than those cause by NIS (assuming you don't misconfigure NIS and/or don't firewall the NIS ports to the net). Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.