unified authentication

Tillman Hodgson tillman at seekingfire.com
Wed Sep 24 18:18:09 PDT 2003 

On Wed, Sep 24, 2003 at 03:56:56PM -0700, Jason Stone wrote:
> > > > 1.) Kerberos
> > >
> > > krb is nice, but the problem with it is that all of your applications need
> > > to be kerberized
> >
> > but isn't that true of any auth mechanism?
> 
> Other auth methods use more generic interfaces that already exist.
> 
> Many/most unix systems/applications are pam aware nowadays, which means
> that any auth system which already has pam modules can be dropped in
> without modifying the apps.  And nis is integrated into the libc, so that
> traditional manual authentication (eg, using getpwnam(3) and friends) will
> use nis transparently.

You can use PAM with Kerberos, though it's by no means necessary.

> Also, while kerberos is used for authentication, as far as I understand
> it, kerberos provide no means for distributing a username-to-uid map, so
> you would still have to use nis or something for that.  (Someone correct
> me if I'm way off here....)

That's correct. It does authentication, not authorization. It's a
feature - I can use NIS on my server, you can use LDAP on your server,
Bob can use /etc/passwd with disabled passwords on his server.

Flexible mapping schemes allow neat tricks like cross-realm trusts with
Active Directory and secondary user databases ("if not in NIS fall back
to corporate LDAP", etc).

> > > > 5.) NIS/NIS+
> > >
> > > NIS is at a bit of a disadvantage due to the unencrypted transport
> > > of information.  Although MD5 hashes in the passwd databases make
> > > passwords harder to crack, usernames and group memberships may still be
> > > retrieved with little difficulty
> 
> Well, it's worse than that - since the packets are not authenticated in
> any way, an active attacker doesn't need to crack passwords - he can just
> inject his own packets which can have crypted passwords that he knows.
>
> If you use ipsec and a well-known nis server (as opposed to the easy way
> of just using broadcast), then maybe nis isn't so weak.  And all os's and
> network gear support ipsec by now, right?

Which is why I use NIS with Kerberos - the passwords aren't in the NIS
maps and injected fake users won't be authenticated by Kerberos.

-T


-- 
The phrase "we (I) (you) simply must..." designates something that need
not be done.  "That goes without saying," is a red warning.  "Of
course..."means you had best check it yourself.  And if "everybody
knows" such-and-such, then it ain't so, by at least ten thousand to one.
	- Robert Heinlein

More information about the freebsd-security mailing list