Date: Mon, 8 Sep 2003 16:10:45 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: nis security Message-ID: <20030908161045.C11841@seekingfire.com> In-Reply-To: <200309082359.07548.ajacoutot@lphp.org>; from ajacoutot@lphp.org on Mon, Sep 08, 2003 at 11:59:04PM %2B0200 References: <200309082359.07548.ajacoutot@lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote: > I'm building a new network for my company. Right on! > I need centralized authentication and looked after LDAP to achieve this. It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems. > Unfortunately, there are 2 points that make me wonder the good use of it: > 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use > 2. I really don't feel confident with LDAP For many networks LDAP can be overkill. > So, I was thinking about using NIS instead, with which I feel much more > confident. I understand it is really not secure, so I was looking about more > information on this: why is is unsecure, does it send password in clear text? No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos. Another large problem is that clients used to "broadcast" for NIS servers and trust the first server to answer. this can be fixed by telling the clients to contact only specific servers for NIS information. > ? > Does anyone know a solution for securing NIS, using ssh or encrypted tunnels > or anything... I am open to any new idea :) IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages. I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-) -T -- To give your sheep or cow a large spacious meadow is the way to control him. Shunryu Suzuki
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030908161045.C11841>