[946] in linux-security and linux-alert archive
Re: [linux-security] Alternative to NIS
daemon@ATHENA.MIT.EDU (Derek Atkins)
Wed Jul 24 06:34:04 1996
Date: Tue, 23 Jul 1996 18:57:50 -0400
From: Derek Atkins <warlord@MIT.EDU>
To: "Eric M. Boyd" <boyd@interdim.com>
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: "[941] in linux-security and linux-alert archive"
Hi,
> Everywhere I look security wise, people say to stay away from NIS because
> it's very insecure, and that NIS+ isn't much better. Does anyone have any
> suggestions as to a replacement to use? I want to make sure my site is
> secure, but it's really a hassle to individually add a user to each
> machine, or ask a user to change their password on each machine they use.
>
> Any suggestions?
You can use Hesiod for passwd, group, etc. information and use
Kerberos for password/login authentication. This provides a
centralized location for both naming and authentication. When you add
a new user you add them to the Hesiod maps and Kerberos; then they can
log in at any machine at your site that is setup to accept
Hesiod-based logins.
Hesiod is a based on DNS. It provides NIS-like capabilities using the
DNS protocols. you do not put an encrypted password in the Hesiod
maps. Instead you use Kerberos, which is a real authentication system
that uses DES. Passwords are never transmitted over the net in clear
text.
Alternatively, you can *just* use kerberos for authentication while
still using NIS or NIS+ for naming, again removing the password field
from the passwd map. This reduces a lot of the security risks when
using NIS or NIS+. The actual security risk is that neither NIS (nor
NIS+) provide a security authentication system; kerberos does.
For more information about hesiod, contact hesiod@mit.edu. For more
information about kerberos, contact kerberos@mit.edu.
-derek
PS: The MIT Student Information Processing Board (SIPB) has a version
of Login for Linux which does the above; it uses Hesiod and Kerberos
for logins, adding users to the local /etc/passwd while they are
logged on, and removing them when they log off. It also includes AFS
support, obtaining an AFS PAG and token for the user. I don't know
what the distribution availability is on this program.