Re: nis security
From: Bruce Pea (pea_at_andrewpea.com)
Date: 09/09/03
- Previous message: Simon Barner: "Re: JAVA and MOZILLA"
- In reply to: Tillman Hodgson: "Re: nis security"
- Next in thread: Tillman Hodgson: "Re: nis security"
- Reply: Tillman Hodgson: "Re: nis security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 08 Sep 2003 19:02:06 -0500 To: Tillman Hodgson <tillman@seekingfire.com>, freebsd-questions@freebsd.org
--On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson
<tillman@seekingfire.com> wrote:
> On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote:
>> I'm building a new network for my company.
>
> Right on!
>
>> I need centralized authentication and looked after LDAP to achieve
>> this.
>
> It's a good thing you're designing this /now/ rather than trying to
> graft it on later. It's not as simple as it seems.
>
>> Unfortunately, there are 2 points that make me wonder the good use of
>> it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for
>> production use 2. I really don't feel confident with LDAP
>
> For many networks LDAP can be overkill.
>
>> So, I was thinking about using NIS instead, with which I feel much
>> more confident. I understand it is really not secure, so I was
>> looking about more information on this: why is is unsecure, does it
>> send password in clear text?
>
> No, but it sends them in an easily broken format. It's exactly the same
> situation as a DES /etc/passwd file in the days before
> master.passwd/shadow passwd files. This can be fixed by combining NIS
> with Kerberos.
>
> Another large problem is that clients used to "broadcast" for NIS
> servers and trust the first server to answer. this can be fixed by
> telling the clients to contact only specific servers for NIS
> information.
>
>> ?
>> Does anyone know a solution for securing NIS, using ssh or encrypted
>> tunnels or anything... I am open to any new idea :)
>
> IPsec can fix the network sniffing problem, though Kerberos can do that
> as well and comes with many other advantages.
>
> I'm a bit biased, however: I use NIS with Kerberos and think it's the
> cats pajamas :-)
Hey Tilman,
This sounds exactly like what we are looking for. Can you point us to any
docs explaining how you do this??
Thanks -
Bruce
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Simon Barner: "Re: JAVA and MOZILLA"
- In reply to: Tillman Hodgson: "Re: nis security"
- Next in thread: Tillman Hodgson: "Re: nis security"
- Reply: Tillman Hodgson: "Re: nis security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
