Re: unified authentication
From: Cy Schubert (Cy.Schubert_at_komquats.com)
Date: 09/26/03
- Previous message: Devon H. O'Dell: "Re: Apache under attack and eating resources?"
- Maybe in reply to: Jesse Guardiani: "unified authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Tillman Hodgson <tillman@seekingfire.com> Date: Fri, 26 Sep 2003 10:28:54 -0700
In message <20030925130356.S18252@seekingfire.com>, Tillman Hodgson writes:
> On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote:
> > On Thu, 25 Sep 2003, Robert Watson wrote:
> >
> > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> > > access) between a set of trusted hosts, with no modifications to the
> > > privileged port set, should be fairly safe against unprivileged users
> > > logged into the machines. The same goes for NFS. If you break any of
> > > these assumptions, then the security properties go out the window.
> >
> > It should probably also be noted that when using NIS in a multi-platform
> > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
> > FreeBSD machines only, the passwd maps are generated without password
> > fields, the master.passwd maps are generated with them, and only requests
> > from privileged ports (superuser requests) will be given the master.passwd
> > maps (hence the comment above about modifying the privileged port set).
> > Other operating systems' NIS implementations require the password fields
> > to be in the passwd maps, which are available to unprivileged users.
>
> Or one could put something like "*" or "krb5" in the password field and
> use Kerberos with NIS to obtain extra security in a cross-platform
> environnment.
I've been doing that for years on Solaris using MIT KRB5 and NIS+. Works
like a charm.
Cheers,
-- Cy Schubert <Cy.Schubert@komquats.com> http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Devon H. O'Dell: "Re: Apache under attack and eating resources?"
- Maybe in reply to: Jesse Guardiani: "unified authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
