Date: Fri, 12 Sep 2003 07:00:57 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: nis security Message-ID: <20030912070057.E13273@seekingfire.com> In-Reply-To: <1063359316.2838.18.camel@cronos.home.vsb>; from n.b@myrealbox.com on Fri, Sep 12, 2003 at 11:35:16AM %2B0200 References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> <1063359316.2838.18.camel@cronos.home.vsb>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > > The rough instructions are fairly simple: > > > > * Set up Kerberos and ensure you have a working realm > > * Set up NIS, but set all the passwd fields to something that doesn't > > map to a real password (I like 'krb5', others like '*') > > > > That's about it. It works because authentication in a Kerberized world > > doesn't check the password field in the NIS maps anyway (or the > > /etc/master.passwd file for that matter). Your non-Kerberos app's will > > break for users that aren't local, but I consider the incentive to > > replace them a benefit :-) > > Do you have some links to websites or so that you used to set this up? Not really. Kerberos and NIS are both in the Handbook, and as I mentioned above I just changed the /var/yp/master.passwd that NIS was working off of to have 'krb5' in the password field. A quick bit of Google spelunking dug up some references but no "HowTos". The RedHat Security Guide mentions it explicitly in the NIS section, for example. > I'm very interested in this setup, with the added complication that the > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD > (5.0). Normally NIS is a pain between different Unix implementations (due to the different passwd designs such as DES vs. MD5). When using Kerberos to handle the authentication, those problems go away. On the other handle, you get to learn how to install NIS and Kerberos on multiple operating systems :-) -T -- Some never participate. Life happens to them. They get by on little more than dumb persistence and resist with anger or violence all things that might lift them out of resentment-filled illusions of security. - Alma Mavis Taraza
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030912070057.E13273>