From owner-freebsd-security  Wed Nov  7 21: 1:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web14501.mail.yahoo.com (web14501.mail.yahoo.com [216.136.224.64])
	by hub.freebsd.org (Postfix) with SMTP id A6F6337B405
	for <security@freebsd.org>; Wed,  7 Nov 2001 21:01:09 -0800 (PST)
Message-ID: <20011108050109.25500.qmail@web14501.mail.yahoo.com>
Received: from [63.204.249.241] by web14501.mail.yahoo.com via HTTP; Wed, 07 Nov 2001 21:01:09 PST
Date: Wed, 7 Nov 2001 21:01:09 -0800 (PST)
From: Jano Lukac <jedovaty@yahoo.com>
Subject: Re: NIS, rsync, and LDAP Re: sharing /etc/passwd
To: security@freebsd.org
In-Reply-To: <Pine.LNX.4.33.0111072043550.24824-100000@moroni.pp.asu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--- David Bear <David.Bear@asu.edu> wrote:
<snip>
> other recommendations include ldap_pam and rsync.
> 
> Thanks for the suggestions.  I was not even considering NIS becuase of
> what I have heard about security issue with it.  I live in a completely
> untrusted network.  So, it really needs to be safe.
> 
> It would be nice to be able to share /etc/passwd between Linux and Freebsd
> -- so some layer of abstraction like an ldap_pam would be great.  I didn't
> know ldap pam existed.  I'll look into it.

The ldap_pam stuff is cool as it works; it could be considered "secure" because
new implementations of the openldap 2 have connections via ssl, or you could
wrap the old openldap 1 through an stunnel.  But a small warning: I've been
working about a month now trying to figgure out how to allow users to change
passwords, without luck.  I went as far as setting up an ldap v3 with
pam->ldap->sasl->kerberos, no luck.  Additionally, I've recently received word
that the openldap c-libs have memory leaks (unsure how true this is); there are
the other ldap libs, though *shrug*

Which reminds me.. another alternative for secure, remote authentication
without copying passwd/shadow files is through kerberos (unsure about freebsd
support for kerberos).


Jano

> 
> any other pointers?
> 
> 
> >
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


__________________________________________________
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message