Re: unified authentication

From: Tillman Hodgson (tillman_at_seekingfire.com)
Date: 09/25/03

  • Next message: Chris Howells: "Re: FreeBSD Patch question" 
    Date: Thu, 25 Sep 2003 13:03:56 -0600
To: freebsd-security@freebsd.org

    On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote:
    > On Thu, 25 Sep 2003, Robert Watson wrote:
    >
    > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
    > > access) between a set of trusted hosts, with no modifications to the
    > > privileged port set, should be fairly safe against unprivileged users
    > > logged into the machines. The same goes for NFS. If you break any of
    > > these assumptions, then the security properties go out the window.
    >
    > It should probably also be noted that when using NIS in a multi-platform
    > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
    > FreeBSD machines only, the passwd maps are generated without password
    > fields, the master.passwd maps are generated with them, and only requests
    > from privileged ports (superuser requests) will be given the master.passwd
    > maps (hence the comment above about modifying the privileged port set).
    > Other operating systems' NIS implementations require the password fields
    > to be in the passwd maps, which are available to unprivileged users.

    Or one could put something like "*" or "krb5" in the password field and
    use Kerberos with NIS to obtain extra security in a cross-platform
    environnment.

    -T 

    -- 
In the beginner's mind there are many possibilities.
 In the expert's mind there are few.
 	- Suzuki-roshi
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Chris Howells: "Re: FreeBSD Patch question"