nis security
Tillman Hodgson
tillman at seekingfire.com
Mon Sep 8 17:15:32 PDT 2003
On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote:
> >> Does anyone know a solution for securing NIS, using ssh or encrypted
> >> tunnels or anything... I am open to any new idea :)
> >
> > IPsec can fix the network sniffing problem, though Kerberos can do that
> > as well and comes with many other advantages.
> >
> > I'm a bit biased, however: I use NIS with Kerberos and think it's the
> > cats pajamas :-)
>
>
> Hey Tilman,
s/l/ll/ :-)
> This sounds exactly like what we are looking for. Can you point us to any
> docs explaining how you do this??
The rough instructions are fairly simple:
* Set up Kerberos and ensure you have a working realm
* Set up NIS, but set all the passwd fields to something that doesn't
map to a real password (I like 'krb5', others like '*')
That's about it. It works because authentication in a Kerberized world
doesn't check the password field in the NIS maps anyway (or the
/etc/master.passwd file for that matter). Your non-Kerberos app's will
break for users that aren't local, but I consider the incentive to
replace them a benefit :-)
You can get fancy and make a nice little Makefile to do all kinds of
maintenance tasks for you (I'm just about finished tying in Mailman into
the central auth for the rospa.ca domain). You can try some of the
neater features of NIS (netgroups, etc) or fiddle with the config of
Kerberos (I like longer ticket lifetimes), but the basic "get it
working" stuff isn't complicated.
-T
--
When a person is confused, he sees east as west.
When he is enlightened, west itself is east.
Ta-Hui
More information about the freebsd-questions
mailing list