Date: Thu, 11 Feb 1999 11:38:29 +0200 From: Mark Murray <mark@grondar.za> To: committers@FreeBSD.ORG Subject: New security system being commissioned. Message-ID: <199902110938.LAA00574@greenpeace.grondar.za>
next in thread | raw e-mail | index | archive | help
Hello all! Last year sometime, I put the cat-among-the-pigeons by announcing a new security paradigm for FreeBSD's server network at Walnut Creek. The time has come to implement this. Here are the salient points of what has been decided: o Account maintenance has become a real PITA, so NIS is going to be used to simplify this task. This should be transparent 99.9% of the time o Security is a major concern, and as NIS has security problems of its own, Kerberos5 is going to be used for authentication where users wish to enter a password on login. If users object to typing a password, this is your final chance to set up a SSH "passwordless" login. Folk have also indicated a desire to use S/KEY, and this will be allowed for a limited time; S/KEY's security (based on MD4/MD5) is not as strong as we would like it to be, and the facility may be removed at very short notice. As Kerberos5 is the authentication method, users may also set up their own Kerberos5-enhanced workstations to perform Kerberos-mediated logins to the appropriate machines. The BSD "r-utils" (rsh, rlogin, rcp) will _not_ be supported. A Kerberos5-enhanced ftp will be available for file transfer. Users who chose to not use kerberos, but who still type their password on logging in will notice no procedural difference (as long as ssh or Telnet/SKEY is used). o Registration into the new system is required for those who wish to have a working password, and highly recommended for everyone else. To register your password in the Kerberos database (and I hope _all_ of you will do this), you will need to first log into freefall.freebsd.org, and then $ telnet localhost 75 Which will ask you a series of questions. WARNING! This question-and-answer session will echo all input, including passwords, so lart(1) any shoulder-surfers out of the way before going in! WARNING! The registration program was written to be secure, not to give you the warm fuzzies abut using it, to please _go_slowly_ and answer all questions carefully! WARNING! By the end of the registration, you will have selected a "new" password; this password will only take effect when we commission the system; it is OK to use your current password; do not forget it! WARNING! Encrypt the session end-to-end! This is a security setup! o If any of you have questions, please feel free to ask me. If you have problems that you wish to keep under wraps, please PGP encrypt your mail (my key can be found by fingering markm while logged onto freefall. Lets get on with it, folks! :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902110938.LAA00574>