nis security
Tillman Hodgson
tillman at seekingfire.com
Fri Sep 12 06:01:00 PDT 2003
On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote:
> On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote:
> > The rough instructions are fairly simple:
> >
> > * Set up Kerberos and ensure you have a working realm
> > * Set up NIS, but set all the passwd fields to something that doesn't
> > map to a real password (I like 'krb5', others like '*')
> >
> > That's about it. It works because authentication in a Kerberized world
> > doesn't check the password field in the NIS maps anyway (or the
> > /etc/master.passwd file for that matter). Your non-Kerberos app's will
> > break for users that aren't local, but I consider the incentive to
> > replace them a benefit :-)
>
> Do you have some links to websites or so that you used to set this up?
Not really. Kerberos and NIS are both in the Handbook, and as I
mentioned above I just changed the /var/yp/master.passwd that NIS was
working off of to have 'krb5' in the password field.
A quick bit of Google spelunking dug up some references but no
"HowTos". The RedHat Security Guide mentions it explicitly in the NIS
section, for example.
> I'm very interested in this setup, with the added complication that the
> clients are Linux (and Windows using SAMBA), yet the server is FreeBSD
> (5.0).
Normally NIS is a pain between different Unix implementations (due to
the different passwd designs such as DES vs. MD5). When using Kerberos
to handle the authentication, those problems go away. On the other
handle, you get to learn how to install NIS and Kerberos on multiple
operating systems :-)
-T
--
Some never participate. Life happens to them. They get by on little more than
dumb persistence and resist with anger or violence all things that might lift
them out of resentment-filled illusions of security.
- Alma Mavis Taraza
More information about the freebsd-questions
mailing list