Re: NIS substitute

To: debian-user@lists.debian.org
Cc: David Z Maze <dmaze@debian.org>
Subject: Re: NIS substitute
From: Paladin <paladin@utopia.ddts.net>
Date: Tue, 12 Aug 2003 00:09:29 +0100
Message-id: <[🔎] 20030812000929.3f2e1cb1.paladin@utopia.ddts.net>
In-reply-to: <[🔎] 87d6fcgi1n.fsf@everett.mit.edu>
References: <[🔎] 20030811173607.102cbe62.paladin@netcabo.pt> <[🔎] 87d6fcgi1n.fsf@everett.mit.edu>

Hi,

First of all thank you for replying! This was the 3rd post of the
same mail with a different subject! ;P

On Mon, 11 Aug 2003 14:34:12 -0400
David Z Maze <dmaze@debian.org> wrote:

>  Do you, in fact, want to migrate your network to using Kerberos? 
>  It's a moderate amount of infrastructure, and in fact would
>  completely replace having shadow files anywhere.

No... I just want to replace NIS! LDAP is the easy answear, right?
That's why I used the PASSWD backend. I don't even mind changing the
passwords through passwd! I just want to use a more secure way of
sharing users across a linux network.

>  I know ~nothing about LDAP.  But, there are two somewhat obvious
>  possibilities if you need an LDAP/Kerberos world:
> 
>  (1) Figure out a way to use LDAP unencrypted for only the
>  information
>      that would normally be in /etc/passwd.  (Which is close to
>      what MIT does, but using Hesiod, which is a thin layer on top
>      of DNS.)

Unencrypted? Don't you mean ENCRYPTED? Thinking of it I know it's
possible to use LDAP through a stunnel... And I read somewhere that
LDAP2 does this by himself.
Then I would only need to change nsswitch.conf and configure pam. (I
THINK!! Have read more about it though...)

I'll google for Hesiod anyway... to see what that is! :P

> 
>  (2) Generate a Kerberos keytab for each machine (you might want
>  this
>      anyways to allow things like inbound Kerberos-authenticated
>      ssh). Get tickets using the keytab (kinit -k).  Using this,
>      get Kerberos-authenticated LDAP entries.  Then lose the host
>      tickets, verify the username, get a password, and using this,
>      get user Kerberos tickets.
> 
>  There might even be a good prepackaged way to do (2), but I
>  really don't know.
> 
>  > To login with Kerberos I have to add all users as principals.
> 
>  Yes.  <nods>  If you're using other infrastructure that supports
>  it(IMAP and AFS are obvious things that come to mind) then this
>  still might be a good way to go; it does save a fair bit of
>  typing passwords to get at things.  Otherwise, you probably want
>  to ignore anything that says "Kerberos" or "GSSAPI" in the
>  package description.

I agree with you... even the explanation of the protocol is
confusing! What alternatives do you suggest?

Thanks again,

---
Paladin

Reply to:

References:
- NIS substitute
  - From: Paladin <paladin@netcabo.pt>
- Re: NIS substitute
  - From: David Z Maze <dmaze@debian.org>

Prev by Date: Re: CD-Writer on Debian Woody
Next by Date: Re: nforce kernel modules
Previous by thread: Re: NIS substitute
Next by thread: Eroaster as user?.
Index(es):
- Date
- Thread