unified authentication
Tillman Hodgson
tillman at seekingfire.com
Thu Sep 25 12:04:02 PDT 2003
On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote:
> On Thu, 25 Sep 2003, Robert Watson wrote:
>
> > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> > access) between a set of trusted hosts, with no modifications to the
> > privileged port set, should be fairly safe against unprivileged users
> > logged into the machines. The same goes for NFS. If you break any of
> > these assumptions, then the security properties go out the window.
>
> It should probably also be noted that when using NIS in a multi-platform
> environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
> FreeBSD machines only, the passwd maps are generated without password
> fields, the master.passwd maps are generated with them, and only requests
> from privileged ports (superuser requests) will be given the master.passwd
> maps (hence the comment above about modifying the privileged port set).
> Other operating systems' NIS implementations require the password fields
> to be in the passwd maps, which are available to unprivileged users.
Or one could put something like "*" or "krb5" in the password field and
use Kerberos with NIS to obtain extra security in a cross-platform
environnment.
-T
--
In the beginner's mind there are many possibilities.
In the expert's mind there are few.
- Suzuki-roshi
More information about the freebsd-security
mailing list