Re: NFS, password transparency, and security
On Sun, Apr 07, 2002 at 10:04:01PM -0500, Rob VanFleet wrote:
> On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote:
> > Two choices for authentication (passwd + shadow):
> > (1) Kerberos
> > Never used it. Can't advise you.
>
> I've looked at Kerberos, but at least a cursory glance at leaves the
> impressions that it is ridiculously complicated to set up and requires
> multiple servers. If someone has used it and can correct me, please do.
I suspect that if all your boxes are running Debian that your life will
be made easier by all the Debian kerberos packages.
> > (2) LDAP
> > Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
> > the equivalent of NIS but securely.
>
> Without using SSL or Kerberos, would LDAP still be sending passwords
> across the net in plain text?
Two choices (I like lists :) ):
(1) use libpam-ldap:
libpam-ldap sends the password to the ldap server. If not using
TLS/SSL, then it is sent in the clear. By sending the password to
the server (rather than using a salt+hash), you can use whatever
hash algorithm you want on the server. The server takes the
password and does the hashing locally.
So, you *must* use TLS/SSL if you are using libpam-ldap, imo.
(2) don't use libpam-ldap:
You
You don't have to use libpam-ldap. You could just use
libnss-ldap and have the ldap server transfer the password
hashes to the workstations in the clear ... which is equivalent
to NIS. You could also use libnss-ldap with SSL/TLS so that the
hashes are transferred more securely (equivalent to NIS+).
Luca
--
Luca Filipozzi, Debian Developer
[dpkg] We are the apt. You will be packaged. Comply.
gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: