From owner-freebsd-hackers Sun Apr 20 12:52:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09790 for hackers-outgoing; Sun, 20 Apr 1997 12:52:40 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.50]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA09746; Sun, 20 Apr 1997 12:52:27 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id MAA08423; Sun, 20 Apr 1997 12:49:38 -0700 From: Terry Lambert Message-Id: <199704201949.MAA08423@phaeton.artisoft.com> Subject: Re: Need a common passwd file among machines To: kpneal@pobox.com (Kevin P. Neal) Date: Sun, 20 Apr 1997 12:49:38 -0700 (MST) Cc: abelits@phobos.illtel.denver.co.us, vinay@agni.nuko.com, freebsd-hackers@freebsd.org, freebsd-isp@freebsd.org In-Reply-To: <1.5.4.32.19970420072729.00975ec4@mindspring.com> from "Kevin P. Neal" at Apr 20, 97 03:27:29 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > At NCSU they use Hesiod+Kerberos to handle logins. This way they don't have > to keep I don't know how many hundred or thousand machines /etc/passwd files > current. > > Also, they don't have passwords going on the wire in the clear -- the > passwords are handled in a safe manner by Kerberos. Along with this is > the fact that passwords are *never* stored on client machines -- a > security bonus. > > This is much saner than distributing /etc/passwd files everywhere, IMHO. I didn't mention Hesiod because I didn't know if it was supported on all the plaforms he has (some of them must be old if they do not have shadowing). I also didn't mention Hesiod because it's a *huge* step to take. Finally, he's already in a "vouchsafe" environment because of the NFS credentials ...unless they are using Kerberos tickets for the NFS as well, and that's even *less* likely to be able to be universally supported. I can replace user space authentication mechanisms with a lot of pain, but replacing kernel proxy authentication for a system (and probably replacing their NFS as well) is a step I wouldn't tell anyone to take. Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.