From owner-freebsd-stable  Thu Apr  2 16:21:28 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA08822
          for freebsd-stable-outgoing; Thu, 2 Apr 1998 16:21:28 -0800 (PST)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from pop.uniserve.com (pop.uniserve.com [204.244.156.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA08807
          for <stable@freebsd.org>; Thu, 2 Apr 1998 16:21:20 -0800 (PST)
          (envelope-from tom@uniserve.com)
Received: from shell.uniserve.com [204.244.186.218] 
	by pop.uniserve.com with smtp (Exim 1.82 #4)
	id 0yKuEF-0007EU-00; Thu, 2 Apr 1998 16:21:07 -0800
Date: Thu, 2 Apr 1998 16:21:04 -0800 (PST)
From: Tom <tom@uniserve.com>
To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
cc: Charles Quarri <randy@hackerz.org>, stable@FreeBSD.ORG
Subject: Re: Hesiod support on 2.2 
In-Reply-To: <199804022207.OAA06621@passer.osg.gov.bc.ca>
Message-ID: <Pine.BSF.3.96.980402161553.20064I-100000@shell.uniserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk


On Thu, 2 Apr 1998, Cy Schubert - ITSD Open Systems Group wrote:

> > 
> > On Thu, 2 Apr 1998, Charles Quarri wrote:
> > 
> > > I am looking for a central management system like NIS without
> > > the blatant security holes.  I have heard that Hesiod can do this.
> > 
> >   All blatant security holes in NIS depend on how you configure it.
> 
> You can minimize NIS security holes by limiting which hosts have access 
> to your NIS ports.

  Yes.  Similar problems with Hesiod though.  You don't want to be running
NIS or Hesiod between a server and a client connected via an untrusted
network.

  Most security holes in NIS are made by the system administrator setting
up the NIS cluster/domain.

> Another approach I've used (on NIS+) is to put a * in the password 
> fields of the passwd map and use Kerberos V.  In this case NIS would 
> serve hosts, services and other maps, and be used for UID to username 
> mapping while Kerberos would be used for user authentication.

  Yes.  Hesiod is good for this too.  Probably better actually as I think
Hesiod's use of DNS will be faster.  Plus DNS has nicer caching and
replication features than NIS.  NIS replication isn't so bad, if using
some propietary type of ypxfr, but is otherwise pretty bad.

> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
> ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
> Government of BC            Internet:  cschuber@uumail.gov.bc.ca
>                                        Cy.Schubert@gems8.gov.bc.ca

Tom


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message