Re: PAM and LinuxRouter questions

From: Charles Clancy (security@xauth.net)
Date: 01/18/02


Date: Fri, 18 Jan 2002 12:22:10 -0600 (CST)
From: Charles Clancy <security@xauth.net>
To: Paul Lussier <pll@mclinux.com>


> >I also suggest you use ANYTHING but NIS. NIS+ and LDAP are infinitely
> >better when it comes to the security aspects of name service.
>
> From a security perspective, I'll grant you that NIS is horrible, but
> from a management perspective, NIS+ and LDAP appear to a lot worse.
> That, and AFAIK, there is no NIS+ implementation for Linux.
> Besides, why would you *want* to use something which the developers
> themselves (Sun) have all but abandoned and don't use?

For Linux NIS+, see:
http://www.ibiblio.org/mdw/HOWTO/NIS-HOWTO/x332.html#AEN334

For NIS fans, NIS+ is an easy next step, from which you gain a great deal
of security. Since host authenticity is based on knowledge of a DES (or
3DES) key, and not an IP address, spoofing is much more difficult (if not
impossible).

I'd only feel comfortable using NIS if it were used in conjunction with
Kerberos. Keep the passwords in Kerberos, and the rest in NIS.

True, Sun (and Microsoft, it seems, with ADS) is moving to LDAP. It
provides ultimate flexibility, and provide name service for many different
types of applications. For example, I've used the same LDAP database for
distributing /etc/passwd (posixAccount schema) information, mail
forwarding (aliases with Sendmail-LDAP), and general directory information
(such as office, phone number, etc).

> As far as LDAP? I keep hearing that it's the next best thing, but
> there don't seem to many tools for using it in a large scale
> enterprise environment. There are some out there, but it seems that
> they're slow in coming. And man is that record format overly verbose
> and tedious to deal with!

Well, the concepts a bit harder to understand than that of NIS/NIS+. As
for the record format, just include the relavent schemas. I admit, it's
overkill for a small organization, but can provide the needed structure
for larger organizations.

> Nah, even for all it's insecurities, I like NIS. It easy to deal
> with and simple to manage. And if you really need the security, then
> just use something like rdist or rsync to push around the
> passwd/shadow maps. If you're in an all Linux/Unix environment, it's
> trivial to create a sysVinit script that pulls down the most recent
> files at boot time.

Hmm... /etc/passwd and /etc/shadow floating around the network. That
makes me a little nervious.

In my opinion, for the most flexibility and compatability, a combination
of Kerberos 5 and LDAP works best. In fact, Microsoft's ADS provides both
those interfaces, one could have a single account for all users, that
supports both Windows and UNIX environments.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
coordinated science laboratory <> university of illinois
cryptography and information protection