Re: overcome NIS

On Mon, 05 Dec 2005 20:48:57 +0000, Stachu 'Dozzie' K. wrote:
> On 05.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:
>> On Mon, 05 Dec 2005 19:16:39 +0000, Stachu 'Dozzie' K. wrote:

>>> BTW. Kerberos makes sense to me when deployed on at least two
>>> different machines.
>>
>> Generally i'd say that's a good idee for NIS servers also (in
>> availability.)
>
> But Kerberos was designed to run on 2+ machines to protect other servers

Indeed.

> (KDC, TGS and protected server(s)).

That'd be TGS and AS. Which could be run on separate machines, but this
isn'd the "standard" setup IME.

> Putting TGS and KDC on the same server seems to me similar to running
> NIS on a single host without network.

I might not quite underatand the above centence ... If however you mean to
say services besides used/needed for autenticating shouldn't run on KDC
machines: i'd agree, exept when there isn't much choise then to do so.

> Of course it's possible, but I'd do that mainly for testing and
> learning.

Well, in what goes over the network (short lived tickets, rather net long
lived hashes) Kerberos should be saver to use then NIS for just a password
database too. Only it doesn't do identification or authorization so you'll
still need something for that (NIS will do fine for that if you can accept
the risk _that_ stuff can still be spoofed - otherwise SASL/LDAP.))

This still wouldn't protect against client admins installing keyloggers
(or using tickets - grabed from /tmp) but probably is a big improvement
over them getting a bunch (all?) of users hashes.

>> However the Shishi Kerberos implementation (althogh beta) can be
>> configured to run under a separate account, so that should still be an
>> improvement in such a setup. Provided other network servives run under
>> seperate acconts as well.
>
> Hmm... That's quite interesting project. Who knows, maybe I'll use this
> for learning how to set up Kerberos? Thanks, anyway.

Sure thing. Although i think ATM Heimdal simpler to setup, if you're
interested maybe look at (or try) the SlackBuild in this post:
http://groups.google.nl/group/alt.os.linux.slackware/msg/1b812f06c99a8174

Have fun.

--
-Menno.

.

Relevant Pages

  • Re: Networking 2 XP Pro systems w/ crossover cable
    ... running on both machines. ... This has really got me confused.....I have ran the network setup>>wizard on both computers choosing the appropriate settings for each system. ... Computer B has NIS 2003 ... make sure the browser service is running on each computer. ...
    (microsoft.public.windowsxp.network_web)
  • Kerberos machine authentication - apparent authentication failures
    ... network for labbing purposes using my TechNet Plus Server 2003 Ent. ... Three machines are workstations and three are laptop/portables. ... a PASSING Kerberos result is obtained. ... to effectively address the apparent Kerberos authentication failures. ...
    (microsoft.public.windows.server.security)
  • Re: nis security
    ... > I'm building a new network for my company. ... with Kerberos. ... Another large problem is that clients used to "broadcast" for NIS ... telling the clients to contact only specific servers for NIS ...
    (freebsd-questions)
  • NON-ACTIVE DIRECTORY NETWORK
    ... cause the performance loss. ... >i am running an NT 4.0 network. ... Kerberos is the authentication system ... >on the XP machines. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Solaris 9 x86 on a heterogenous domain - domain cannot be ascertained
    ... I would still recommend setting up nis ... > align uid,gid over all machines in his domain, to ensure that nfs ... It's a small home network. ... This is probably what is lacking, a Solaris master network server of some ...
    (comp.unix.solaris)