unified authentication
Cy Schubert
Cy.Schubert at komquats.com
Fri Sep 26 10:28:58 PDT 2003
In message <20030925130356.S18252 at seekingfire.com>, Tillman Hodgson writes:
> On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote:
> > On Thu, 25 Sep 2003, Robert Watson wrote:
> >
> > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> > > access) between a set of trusted hosts, with no modifications to the
> > > privileged port set, should be fairly safe against unprivileged users
> > > logged into the machines. The same goes for NFS. If you break any of
> > > these assumptions, then the security properties go out the window.
> >
> > It should probably also be noted that when using NIS in a multi-platform
> > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
> > FreeBSD machines only, the passwd maps are generated without password
> > fields, the master.passwd maps are generated with them, and only requests
> > from privileged ports (superuser requests) will be given the master.passwd
> > maps (hence the comment above about modifying the privileged port set).
> > Other operating systems' NIS implementations require the password fields
> > to be in the passwd maps, which are available to unprivileged users.
>
> Or one could put something like "*" or "krb5" in the password field and
> use Kerberos with NIS to obtain extra security in a cross-platform
> environnment.
I've been doing that for years on Solaris using MIT KRB5 and NIS+. Works
like a charm.
Cheers,
--
Cy Schubert <Cy.Schubert at komquats.com> http://www.komquats.com/
BC Government . FreeBSD UNIX
Cy.Schubert at osg.gov.bc.ca . cy at FreeBSD.org
http://www.gov.bc.ca/ . http://www.FreeBSD.org/
More information about the freebsd-security
mailing list