[946] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Alternative to NIS

daemon@ATHENA.MIT.EDU (Derek Atkins)
Wed Jul 24 06:34:04 1996

Date: Tue, 23 Jul 1996 18:57:50 -0400
From: Derek Atkins <warlord@MIT.EDU>
To: "Eric M. Boyd" <boyd@interdim.com>
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: "[941] in linux-security and linux-alert archive"

Hi,

> Everywhere I look security wise, people say to stay away from NIS because
> it's very insecure, and that NIS+ isn't much better.  Does anyone have any
> suggestions as to a replacement to use?  I want to make sure my site is
> secure, but it's really a hassle to individually add a user to each
> machine, or ask a user to change their password on each machine they use.  
> 
> Any suggestions?

You can use Hesiod for passwd, group, etc. information and use
Kerberos for password/login authentication.  This provides a
centralized location for both naming and authentication.  When you add
a new user you add them to the Hesiod maps and Kerberos; then they can
log in at any machine at your site that is setup to accept
Hesiod-based logins.

Hesiod is a based on DNS.  It provides NIS-like capabilities using the
DNS protocols.  you do not put an encrypted password in the Hesiod
maps.  Instead you use Kerberos, which is a real authentication system
that uses DES.  Passwords are never transmitted over the net in clear
text.

Alternatively, you can *just* use kerberos for authentication while
still using NIS or NIS+ for naming, again removing the password field
from the passwd map.  This reduces a lot of the security risks when
using NIS or NIS+.  The actual security risk is that neither NIS (nor
NIS+) provide a security authentication system; kerberos does.

For more information about hesiod, contact hesiod@mit.edu.  For more
information about kerberos, contact kerberos@mit.edu.

-derek

PS: The MIT Student Information Processing Board (SIPB) has a version
of Login for Linux which does the above; it uses Hesiod and Kerberos
for logins, adding users to the local /etc/passwd while they are
logged on, and removing them when they log off.  It also includes AFS
support, obtaining an AFS PAG and token for the user.  I don't know
what the distribution availability is on this program.


home help back first fref pref prev next nref lref last post