Re: Machine authentication

From: Darren J Moffat (Darren.Moffat@Sun.COM)
Date: 12/18/01


Date: Tue, 18 Dec 2001 10:08:37 +0000
From: Darren J Moffat <Darren.Moffat@Sun.COM>
To: James Craig <jmc@cs.rit.edu>

On 12/17/01 18:58, James Craig wrote:

>
> We are looking for a way to authenticate machines such that when
> a machine asks for an NFS mount, the server can trust it is that
> machine. I believe NIS+ can provide this, but how about kerberos,
> or DES? How would one set this up in a Solaris 8 environment?

You don't need NIS+ to use AUTH_DH (sec=dh on the share_nfs/mount_nfs
line), however since NIS is easily spoofed I wouldn't recommened it,
using NIS+ (since it runs over AUTH_DH) is a better idea.

Or and this is what I would recommend for new deployments is to go to
Kerberos (sec=krb5*), for Solaris 8 you need to install the unbundled
SEAM package to get the KDC (if you don't already have one, an MIT
KDC will work just fine), if you just want NFS the OS has everything
else you need.

Search the Answerbook on docs.sun.com for Kerberos and NFS (use only
the Solaris 8 book or you will get old referecnes to Kerberos IV instead
of V).

-- 
Darren J Moffat



Relevant Pages

  • Re: unified authentication
    ... use nis transparently. ... Also, while kerberos is used for authentication, as far as I understand ... I like tacacs better than radius, but be aware that different devices may ... have differing notions of what the tacacs privelege levels mean. ...
    (FreeBSD-Security)
  • Re: overcome NIS
    ... > But Kerberos was designed to run on 2+ machines to protect other servers ... > NIS on a single host without network. ... Well, in what goes over the network (short lived tickets, rather net long ...
    (comp.os.linux.security)
  • Re: login question
    ... >> This is exactly what Kerberos is good at. ... NIS and Kerberos5 both have their own sections in the Handbook. ... but installing it is as simple as using the pam_ldap ...
    (freebsd-questions)
  • LDAP help
    ... I've been trying for some time to change from NIS to LDAP. ... digestmd5-des can be used) and after configuring kerberos I realized ... NIS at login time so logging in with Kerberos ruins all my plans! ... want to maintain users and passwords in the passwd and shadow files ...
    (Debian-User)
  • Need LDAP assistance (Ive RTFM & HOWTOs)
    ... I've been trying for some time to change from NIS to LDAP. ... digestmd5-des can be used) and after configuring kerberos I realized ... NIS at login time so logging in with Kerberos ruins all my plans! ... want to maintain users and passwords in the passwd and shadow files ...
    (Debian-User)