Date: Wed, 28 Feb 1996 18:26:50 -0700 (MST) From: Barnacle Wes <wes@intele.net> To: yankee@anna.az.com (az.com) Cc: questions@freebsd.org Subject: Re: Informing users of cracked passwords? Message-ID: <199602290126.SAA21922@intele.net> In-Reply-To: <Pine.BSF.3.91.960226071728.2045A-100000@anna.az.com> from "az.com" at Feb 26, 96 07:51:06 am
next in thread | previous in thread | raw e-mail | index | archive | help
yankee@anna.az.com recently said:
> Perhaps it would be nice project to try to upgrade FreeBSD's password
> authentication and add an option which would move it away from the host
> and onto a separate system and also allow it to check for qualified
> passwords.
>
> I realize this idea is in left field and does not follow the single-system
> model, but for bigger organizations who can afford a separate system, it
> should be at least added to unix as an alternative to the shadow password
> file and get password entry routines, etc. I know that similar things
> already exist, but I know of no 'drop-in-replacement' like this that can
> go right into a running unix system like kerberos or nis, etc.
I worked on a commercial product like this once in my deep, dark,
not too far distant past. It is now being sold commercially for
several unixen. I cannot recommend the product; I left the company
over design arguments with the two idiot vice presidents who were
designing the product on viewfoils without knowing anything about
the technology OR customer needs.
For those who want to build a distributed password system ala
kerberos or nis, that require some sort of server to be available
as well as the network working, go right ahead. You've obviously
never experienced a 100-node thin coax ethernet falling on its face
once or twice an hour.
The design we arrived at, with input from a couple of users with
2,000+ node networks of unix systems, was a distributed database
design. Each system had a local copy of the password database (and
other configuration databases) to run off; this product was
responsible for keeping the different databases up to date. It is
a more difficult problem to solve than writing a newer, better NIS,
but I haven't seen a newer, better NIS that was truly better than
NIS; none of them work at all if someone trips over your network
cable and unplugs it.
I know most people these days insist their computer is useless if
the network isn't working, and there is some validity to this, but
you can really get bitten if root cannot even login because ypbind
has the system by its figurative throat.
Now, if you want to do a distribued system, give me a call. This
is a pet project that I never got to finish, and I'd love to discuss
the design in a more appropriate forum.
--
Wes Peters | Yes I am a pirate, two hundred years too late
Softweyr | The cannons don't thunder, there's nothing to plunder
Consulting | I'm an over forty victim of fate...
wes@intele.net | Jimmy Buffett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602290126.SAA21922>