From: Dan Cross <crossd@gmail.com>
To: Grant Taylor <gtaylor@tnetconsulting.net>
Cc: TUHS main list <tuhs@minnie.tuhs.org>
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
Date: Tue, 6 Nov 2018 17:29:50 -0500 [thread overview]
Message-ID: <CAEoi9W6fQw05GvrfWkkT0ABLG=JLvkUJ_hg=sj+TbENsav9enQ@mail.gmail.com> (raw)
In-Reply-To: <968a530f-c456-e79f-3581-f84fdef73c19@spamtrap.tnetconsulting.net>
[-- Attachment #1: Type: text/plain, Size: 1424 bytes --]
On Tue, Nov 6, 2018 at 1:42 AM Grant Taylor via TUHS <tuhs@minnie.tuhs.org>
wrote:
> On 11/05/2018 06:46 PM, Dan Cross wrote:
> > NIS would be the only other realistic option and it's just not secure
> > enough in this day and age.
>
> What do you think about NIS (sans shadow) for directory and Kerberos for
> authentication?
>
It wouldn't do it, but I guess it depends on how much you trust your
environment and your users etc. If you're intent on using a network
directory service, I'd bite the bullet and invest in setting up Kerberos
and LDAP. The thing with pairing Kerberos (for authentication) with NIS is
that while you'll have decent authentication security, nothing prevents a
malicious third party from modifying the answer from `ypserv` for some user
to set the UID to 0, thus making that user root. If authentication is
happening by users typing passwords into SSH clients, which then get sent
to SSH servers to be validated against the KDC on machines that have been
so cracked, an attacker can steal passwords by subverting the SSH server
processes.
However, if you trust your users not to do that and you're on a relatively
small, self-contained and decently secured network, then it may be fine.
From what you described earlier I think generating text files and
distributing them around (possibly with rdist or rsync) and pairing that
with kerberos would be less work and more robust.
- Dan C.
[-- Attachment #2: Type: text/html, Size: 1802 bytes --]
next prev parent reply other threads:[~2018-11-07 0:17 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-04 20:51 Grant Taylor via TUHS
2018-11-04 21:46 ` Ben Greenfield via TUHS
2018-11-04 22:45 ` Arthur Krewat
2018-11-04 22:58 ` Mantas Mikulėnas
2018-11-04 23:49 ` Warner Losh
2018-11-05 3:16 ` Robert Brockway
2018-11-05 6:08 ` Grant Taylor via TUHS
2018-11-05 7:24 ` Mantas Mikulėnas
2018-11-05 7:33 ` Mantas Mikulėnas
2018-11-05 16:12 ` Arthur Krewat
2018-11-05 19:32 ` Grant Taylor via TUHS
2018-11-05 22:43 ` Arthur Krewat
2018-11-06 5:25 ` Grant Taylor via TUHS
2018-11-06 16:50 ` Arthur Krewat
2018-11-06 19:43 ` Grant Taylor via TUHS
2018-11-05 19:27 ` Grant Taylor via TUHS
2018-11-05 19:36 ` Grant Taylor via TUHS
2018-11-05 21:36 ` Mantas Mikulėnas
2018-11-05 23:12 ` Grant Taylor via TUHS
2018-11-05 21:43 ` Ben Greenfield via TUHS
2018-11-06 4:58 ` Grant Taylor via TUHS
2018-11-06 12:59 ` Ben Greenfield via TUHS
2018-11-06 6:53 ` Mantas Mikulėnas
2018-11-06 13:21 ` Ben Greenfield via TUHS
2018-11-06 13:44 ` Mantas Mikulėnas
2018-11-06 14:00 ` Ben Greenfield via TUHS
2018-11-06 13:46 ` Mantas Mikulėnas
2018-11-05 22:34 ` Dan Cross
2018-11-06 5:24 ` Grant Taylor via TUHS
2018-11-06 7:07 ` Mantas Mikulėnas
2018-11-06 17:30 ` Grant Taylor via TUHS
2018-11-06 19:58 ` Mantas Mikulėnas
2018-11-06 22:24 ` Dan Cross
2018-11-07 0:35 ` Grant Taylor via TUHS
2018-11-07 11:37 ` Pete Turnbull
2018-11-07 17:30 ` Grant Taylor via TUHS
2018-11-07 22:01 ` Dave Horsfall
2018-11-08 1:48 ` Dave Horsfall
2018-11-07 23:00 ` Pete Turnbull
2018-11-07 1:03 ` Pete Turnbull
2018-11-06 12:54 ` Ben Greenfield via TUHS
2018-11-05 20:10 ` Dave Horsfall
2018-11-05 3:49 ` Larry McVoy
2018-11-05 6:12 ` Grant Taylor via TUHS
2018-11-05 19:58 ` Dave Horsfall
2018-11-05 22:53 ` Grant Taylor via TUHS
2018-11-06 1:28 ` Dave Horsfall
2018-11-05 15:44 ` Larry McVoy
2018-11-05 18:38 ` arnold
2018-11-05 19:04 ` Larry McVoy
2018-11-05 21:21 ` Noel Hunt
2018-11-07 8:58 ` arnold
2018-11-07 14:05 ` arnold
2018-11-05 20:48 ` A. P. Garcia
2018-11-05 23:07 ` Grant Taylor via TUHS
2018-11-06 1:46 ` Dan Cross
2018-11-06 5:32 ` Grant Taylor via TUHS
2018-11-06 22:29 ` Dan Cross [this message]
2018-11-07 0:40 ` Grant Taylor via TUHS
2018-11-07 1:38 ` Arthur Krewat
2018-11-06 3:03 ` Robert Brockway
2018-11-06 5:03 ` David Arnold
2018-11-06 5:34 ` Grant Taylor via TUHS
2018-11-06 23:59 Norman Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEoi9W6fQw05GvrfWkkT0ABLG=JLvkUJ_hg=sj+TbENsav9enQ@mail.gmail.com' \
--to=crossd@gmail.com \
--cc=gtaylor@tnetconsulting.net \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).