nis security (DES passwords)

Guy Van Sanden n.b at myrealbox.com
Sat Sep 13 08:01:35 PDT 2003 

I was looking arround for this, and I found that Kerberos uses DES
encryption, John (on my sytem) reports it rather weak:

Benchmarking: Standard DES [24/32 4K]... DONE
Many salts:     151603 c/s real, 169200 c/s virtual
Only one salt:  152806 c/s real, 155607 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts:     5750 c/s real, 5940 c/s virtual
Only one salt:  5630 c/s real, 5721 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw:    3092 c/s real, 3752 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:    222 c/s real, 227 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short:  143462 c/s real, 153271 c/s virtual
Long:   377600 c/s real, 394979 c/s virtual

Benchmarking: NT LM DES [24/32 4K]... DONE
Raw:    1080115 c/s real, 1125120 c/s virtual

I'm now using MD5 passwords in NIS.

Yet it seems the consensus that Kerberos is secure, am I missing
something?

On Fri, 2003-09-12 at 15:00, Tillman Hodgson wrote:
> On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote:
> > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote:
> > > The rough instructions are fairly simple:
> > > 
> > > * Set up Kerberos and ensure you have a working realm
> > > * Set up NIS, but set all the passwd fields to something that doesn't
> > >   map to a real password (I like 'krb5', others like '*')
> > > 
> > > That's about it. It works because authentication in a Kerberized world
> > > doesn't check the password field in the NIS maps anyway (or the
> > > /etc/master.passwd file for that matter). Your non-Kerberos app's will
> > > break for users that aren't local, but I consider the incentive to
> > > replace them a benefit :-)
> > 
> > Do you have some links to websites or so that you used to set this up?
> 
> Not really. Kerberos and NIS are both in the Handbook, and as I
> mentioned above I just changed the /var/yp/master.passwd that NIS was
> working off of to have 'krb5' in the password field.
> 
> A quick bit of Google spelunking dug up some references but no
> "HowTos". The RedHat Security Guide mentions it explicitly in the NIS
> section, for example.
> 
> > I'm very interested in this setup, with the added complication that the
> > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD
> > (5.0).
> 
> Normally NIS is a pain between different Unix implementations (due to
> the different passwd designs such as DES vs. MD5). When using Kerberos
> to handle the authentication, those problems go away. On the other
> handle, you get to learn how to install NIS and Kerberos on multiple
> operating systems :-)
> 
> -T

More information about the freebsd-questions mailing list