Date: Sun, 7 Apr 2002 13:32:34 -0700 From: Brooks Davis <brooks@one-eyed-alien.net> To: Anthony Schneider <aschneid@mail.slc.edu> Cc: Pieter Danhieux <pdanhieux@easynet.be>, freebsd-security@FreeBSD.ORG Subject: Re: Centralized authentication Message-ID: <20020407133234.A6268@Odin.AC.HMC.Edu> In-Reply-To: <20020407133536.A140@mail.slc.edu>; from aschneid@mail.slc.edu on Sun, Apr 07, 2002 at 01:35:37PM -0400 References: <874riov1et.wl@delta.meridian-enviro.com> <20020406170014.5f47c85f.cyschow@shaw.ca> <20020407192004.5cbecd18.pdanhieux@easynet.be> <20020407133536.A140@mail.slc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 07, 2002 at 01:35:37PM -0400, Anthony Schneider wrote: > on a private, small LAN, NIS can be okay, but you're right, passwords are= passed > in plaintext across the network. I'd say use Kerberos, OpenLDAP or perha= ps even > NIS+ (although, i know little about NIS+, but what i do know is that secu= rity-wise > it's a good bit higher on thew ladder than NIS). NIS+ adds nothing but pain to the equation. It does no encryption (that wasn't exportable) and the authentication sucks to the point that if you compromise root on a host you can probalby log in as any known user who's account is in the database. This is due to the fact that they authenticate the envelope on each packet, but don't insure that the data doesn't change and thus you can use dsniff like techniques to hijack the NIS+ responses and replace the encrypted password with a known one. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8sKzhXY6L6fI4GtQRAjOXAKCsMeaRfoJt63SrOuddfG+4oA8PLgCfSxHd 4vTptCYBk1gjwJL872Cs6Zs= =DYxg -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020407133234.A6268>