unified authentication
Robert Watson
rwatson at freebsd.org
Thu Sep 25 09:01:09 PDT 2003
On Thu, 25 Sep 2003, Robert Watson wrote:
> Kerberos5 should work fine; direct support for LDAP is a problem for 4.x
> due to a lack of complete NSS support--to do this directly, you'd need
> to run 5.x. My understanding is that some sites dump their LDAP
> databases to NIS databases and share them on the FreeBSD side using NIS,
> which is also a reasonable (if less secure) solution. If you just want
> to use Kerberos5 for password sharing, 4.x should be no problem at all.
Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
access) between a set of trusted hosts, with no modifications to the
privileged port set, should be fairly safe against unprivileged users
logged into the machines. The same goes for NFS. If you break any of
these assumptions, then the security properties go out the window.
Another popular solution, if your password files/etc don't change all that
frequently, is to push/pull them over cryptographically protected
protocols. I.e., to poll using https, or push using ssh. By distributing
(in a manner of speaking) the passwords themselves using Kerberos5, most
sites have a pretty slow rate of change for password files.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-security
mailing list