From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: tuhs-bounces@minnie.tuhs.org
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE,SUBJ_ALL_CAPS autolearn=no autolearn_force=no
	version=3.4.2
Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 66ba42ee
	for <ml@inbox.vuxu.org>;
	Wed, 7 Nov 2018 00:17:22 +0000 (UTC)
Received: by minnie.tuhs.org (Postfix, from userid 112)
	id 06C4FA22DB; Wed,  7 Nov 2018 10:17:21 +1000 (AEST)
Received: from minnie.tuhs.org (localhost [127.0.0.1])
	by minnie.tuhs.org (Postfix) with ESMTP id C11ECA22B9;
	Wed,  7 Nov 2018 10:16:35 +1000 (AEST)
Received: by minnie.tuhs.org (Postfix, from userid 112)
 id A0F26A22A0; Wed,  7 Nov 2018 08:30:33 +1000 (AEST)
Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com
 [209.85.222.177])
 by minnie.tuhs.org (Postfix) with ESMTPS id 2959A94111
 for <tuhs@minnie.tuhs.org>; Wed,  7 Nov 2018 08:30:28 +1000 (AEST)
Received: by mail-qk1-f177.google.com with SMTP id d19so19505818qkg.5
 for <tuhs@minnie.tuhs.org>; Tue, 06 Nov 2018 14:30:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=Lash4DyQyjDXhf82/6DVcc0ldzsI+kyfTnn2YMXFYcM=;
 b=nlFtUbf6ecYEJJWI5PY65XZBW7RTEzkSpOrlFxMbaEqn55LDvYlWBvzbnJbgCwBbqE
 55vr8KwguKeUlNrmtDK0MjbtkRt05Q6fRAOgEYwNCl5uCejp4KA90hx/hQBOhw3+DZ7S
 jsWJgZvudN9md2OGnjC1rVI+kbBXb1VQ20v43hJc7r0KDXzCucRJEBdGLhzGHLvqy3dK
 X7OLIz5KajC23sWhMduod4rZvWOGVI4k+3a4UlSgkpV56iZIglCQsgaZjJ+b33q9uS5v
 y51TB+VWaGyopuUaSUgiXsPyVvQqR9RPQtEi2CbUeZ/n+7fw7LeFo5G4ckX8daNGDMWB
 epkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=Lash4DyQyjDXhf82/6DVcc0ldzsI+kyfTnn2YMXFYcM=;
 b=FtISeKR8xSDvY0PGLzXLiZw1ldY59TDuCWODogMSkLmV/30IUdoDNnlKdYiaoY5w8A
 j88TwUnlnUNBgAyTgqQ6HJYqZqbjtOYDOFZRMk2XvwATDNYycIJkRibJVsfLD29Tuw7s
 VaNxV9XBuLfY1dak71kXxFgImXws05gCHemneVpIilM7Db8mpxy8uN/tc/DppCgjnDNu
 CqL/DUi5Vm7c8NnKl/pAfosN87/fxqDlte48WeZIwQu8dH+ONCC5AmbPKIDWAYL89g4u
 VEO5mUDli1OC4ZTfg7X6YZNirXUdIw7WbGenEQTv1KdmSRcrv0tBcve57BsnElXm5nkd
 Kciw==
X-Gm-Message-State: AGRZ1gLr4wNFiJudSgmvb69yXrQrECZwOeneU9f6r6QiUc1/KAmGvYZe
 JegxzI4b6Z4nMZFWQBqr9stxJ9YESMR7KN2Kmz8=
X-Google-Smtp-Source: AJdET5ds8TNvfxE7/61nWoFdOU2pZT3EkIKHhfmJPOMP++gkPmYQkyjugywZtzYYM72zKMhF4X9MRJf6yj2kL+zn3J8=
X-Received: by 2002:a37:14ca:: with SMTP id 71mr25486157qku.295.1541543427181; 
 Tue, 06 Nov 2018 14:30:27 -0800 (PST)
MIME-Version: 1.0
References: <f99e4c98-d584-d823-a581-0d6c3b9c3420@spamtrap.tnetconsulting.net>
 <CAFCBnZsmLWuCaJo2w4ekR42yaS9XszR1h-H82t49agin-ORgBg@mail.gmail.com>
 <6a64b957-5912-b102-c73c-d0b71bd24188@spamtrap.tnetconsulting.net>
 <CAEoi9W6d5KCExxGHdOoCyae154r4u_NvMYj40w0OCNXF7kRQxw@mail.gmail.com>
 <968a530f-c456-e79f-3581-f84fdef73c19@spamtrap.tnetconsulting.net>
In-Reply-To: <968a530f-c456-e79f-3581-f84fdef73c19@spamtrap.tnetconsulting.net>
From: Dan Cross <crossd@gmail.com>
Date: Tue, 6 Nov 2018 17:29:50 -0500
Message-ID: <CAEoi9W6fQw05GvrfWkkT0ABLG=JLvkUJ_hg=sj+TbENsav9enQ@mail.gmail.com>
To: Grant Taylor <gtaylor@tnetconsulting.net>
Content-Type: multipart/alternative; boundary="000000000000621279057a068c8e"
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
X-BeenThere: tuhs@minnie.tuhs.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: The Unix Heritage Society mailing list <tuhs.minnie.tuhs.org>
List-Unsubscribe: <https://minnie.tuhs.org/cgi-bin/mailman/options/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=unsubscribe>
List-Archive: <http://minnie.tuhs.org/pipermail/tuhs/>
List-Post: <mailto:tuhs@minnie.tuhs.org>
List-Help: <mailto:tuhs-request@minnie.tuhs.org?subject=help>
List-Subscribe: <https://minnie.tuhs.org/cgi-bin/mailman/listinfo/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=subscribe>
Cc: TUHS main list <tuhs@minnie.tuhs.org>
Errors-To: tuhs-bounces@minnie.tuhs.org
Sender: "TUHS" <tuhs-bounces@minnie.tuhs.org>

--000000000000621279057a068c8e
Content-Type: text/plain; charset="UTF-8"

On Tue, Nov 6, 2018 at 1:42 AM Grant Taylor via TUHS <tuhs@minnie.tuhs.org>
wrote:

> On 11/05/2018 06:46 PM, Dan Cross wrote:
> > NIS would be the only other realistic option and it's just not secure
> > enough in this day and age.
>
> What do you think about NIS (sans shadow) for directory and Kerberos for
> authentication?
>

It wouldn't do it, but I guess it depends on how much you trust your
environment and your users etc. If you're intent on using a network
directory service, I'd bite the bullet and invest in setting up Kerberos
and LDAP. The thing with pairing Kerberos (for authentication) with NIS is
that while you'll have decent authentication security, nothing prevents a
malicious third party from modifying the answer from `ypserv` for some user
to set the UID to 0, thus making that user root. If authentication is
happening by users typing passwords into SSH clients, which then get sent
to SSH servers to be validated against the KDC on machines that have been
so cracked, an attacker can steal passwords by subverting the SSH server
processes.

However, if you trust your users not to do that and you're on a relatively
small, self-contained and decently secured network, then it may be fine.
>From what you described earlier I think generating text files and
distributing them around (possibly with rdist or rsync) and pairing that
with kerberos would be less work and more robust.

        - Dan C.

--000000000000621279057a068c8e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr">On Tue, Nov 6,=
 2018 at 1:42 AM Grant Taylor via TUHS &lt;<a href=3D"mailto:tuhs@minnie.tu=
hs.org">tuhs@minnie.tuhs.org</a>&gt; wrote:<br></div><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex">On 11/05/2018 06:46 PM, Dan Cross wrote:<br>
&gt; NIS would be the only other realistic option and it&#39;s just not sec=
ure <br>
&gt; enough in this day and age.<br>
<br>
What do you think about NIS (sans shadow) for directory and Kerberos for <b=
r>
authentication?<br></blockquote><div><br></div><div>It wouldn&#39;t do it, =
but I guess it depends on how much you trust your environment and your user=
s etc. If you&#39;re intent on using a network directory service, I&#39;d b=
ite the bullet and invest in setting up Kerberos and LDAP. The thing with p=
airing Kerberos (for authentication) with NIS is that while you&#39;ll have=
 decent authentication security, nothing prevents a malicious third party f=
rom modifying the answer from `ypserv` for some user to set the UID to 0, t=
hus making that user root. If authentication is happening by users typing p=
asswords into SSH clients, which then get sent to SSH servers to be validat=
ed against the KDC on machines that have been so cracked, an attacker can s=
teal passwords by subverting the SSH server processes.</div><div><br></div>=
<div>However, if you trust your users not to do that and you&#39;re on a re=
latively small, self-contained and decently secured network, then it may be=
 fine. From what you described earlier I think generating text files and di=
stributing them around (possibly with rdist or rsync) and pairing that with=
 kerberos would be less work and more robust.</div><div><br></div><div>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 - Dan C.</div><div><br></div></div></div>

--000000000000621279057a068c8e--