unified authentication

Jason Stone freebsd-security at dfmm.org
Wed Sep 24 15:56:58 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > > 1.) Kerberos
> >
> > krb is nice, but the problem with it is that all of your applications need
> > to be kerberized
>
> but isn't that true of any auth mechanism?

Other auth methods use more generic interfaces that already exist.

Many/most unix systems/applications are pam aware nowadays, which means
that any auth system which already has pam modules can be dropped in
without modifying the apps.  And nis is integrated into the libc, so that
traditional manual authentication (eg, using getpwnam(3) and friends) will
use nis transparently.

Also, while kerberos is used for authentication, as far as I understand
it, kerberos provide no means for distributing a username-to-uid map, so
you would still have to use nis or something for that.  (Someone correct
me if I'm way off here....)


> > > 5.) NIS/NIS+
> >
> > NIS is at a bit of a disadvantage due to the unencrypted transport
> > of information.  Although MD5 hashes in the passwd databases make
> > passwords harder to crack, usernames and group memberships may still be
> > retrieved with little difficulty

Well, it's worse than that - since the packets are not authenticated in
any way, an active attacker doesn't need to crack passwords - he can just
inject his own packets which can have crypted passwords that he knows.

If you use ipsec and a well-known nis server (as opposed to the easy way
of just using broadcast), then maybe nis isn't so weak.  And all os's and
network gear support ipsec by now, right?


> > Since you have cisco devices, you may want to look at pam_tacplus.

I like tacacs better than radius, but be aware that different devices may
have differing notions of what the tacacs privelege levels mean.  For
example, I used to have cisco and foundry gear, both of which spoke
tacacs, but on one, the numeric privelege levels went from low to high
with increased priveleges, and on the other, it went from high to low.
foundry has since change their stuff to be compatible with cisco, so maybe
this isn't an issue any more, but be aware that it might be.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/ciE4swXMWWtptckRAk6LAKD01tOR2AHrVslLtDk2b5M6tdZ0wQCfR8Rr
Ts08vo0WMGMeA9/HNScYd7w=
=ZHad
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list