From owner-freebsd-current@FreeBSD.ORG Wed Feb 15 07:04:42 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C51C016A420 for ; Wed, 15 Feb 2006 07:04:42 +0000 (GMT) (envelope-from danny@cs.huji.ac.il) Received: from cs1.cs.huji.ac.il (cs1.cs.huji.ac.il [132.65.16.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C75843D46 for ; Wed, 15 Feb 2006 07:04:42 +0000 (GMT) (envelope-from danny@cs.huji.ac.il) Received: from pampa.cs.huji.ac.il ([132.65.80.32]) by cs1.cs.huji.ac.il with esmtp id 1F9GiO-000P7D-N9; Wed, 15 Feb 2006 09:04:40 +0200 X-Mailer: exmh version 2.7.0 06/18/2004 with nmh-1.0.4 To: Luigi Rizzo In-reply-to: Your message of Tue, 14 Feb 2006 09:11:50 -0800 . Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Feb 2006 09:04:40 +0200 From: Danny Braniss Message-ID: Cc: current@freebsd.org Subject: Re: options for centralized 'passwd' database for a diskless lab ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 07:04:42 -0000 > as per the subjects, what options do i have to set a centralized > 'passwd' database for a lab with FreeBSD diskless machines ? > > In the past (4.x times) i used YP/NIS which did the job but was > highly insecure (all traffic unencrypted) and also a bit of a pain to configure. > It was convenient though because it let users change their > password and other info just using the passwd command. > > I have been browsing around a bit, and i see that pam_* (tried pam_radius) > can do for the authentication part but not for the other info; > nss_* seems to be a better suit but the only thing i see is nss_ldap > and i am not familiar with the latter. > > So any suggestions or pointers to pages describing what to do ? > for NIS/YP replacement: look into hesiod, we have been using it for years! for the authentication problem: we have implemented a client/server solution. the encrypted password is kept in a secure server, and the clients send the password to this server. the communication is clear text, but it could be made encrypted. for distant/unsecure authentication we use a token generating card - OTP. this server also handles the MS authentication, OTP cards, etc. danny > cheers > luigi > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >