[NTLUG:Discuss] Kerberos and Linux

Leroy Tennison leroy_tennison at prodigy.net
Sun Feb 5 05:25:45 CST 2006 

Chris Cox wrote:

>Leroy Tennison wrote:
>  
>
>>Before I do a lot of research for nothing, can kerberos not only be an
>>authentication system for Linux but also provide local uid/gid's for the
>>system?  What I'm looking for is something like what LDAP can do where
>>the local system doesn't have to have a user ID in order for someone to
>>log in.  I'm trying to get to a more centralized approach to user/group
>>management like the PC NOSes have.  Thanks for your input.  Other secure
>>alternatives would be worth hearing about as well.
>>    
>>
>
>Secure?  Who can say?
>
>But you'll need something like NIS, LDAP or even Samba (or Samba
>combo'd with a Windows Domain Controller) to provide the usernames, etc.
>
>Unless someone else knows differently.
>
>Where I work we have to use NIS (lowest common denominator).
>I have built systems... and was planning to demo at the Fair,
>that uses a centralized account system for the whole network,
>Unix/Linux/Windows.
>
>NIS is called insecure... but truthfully, distributed
>network namespaces are "insecure" by definition.  You don't
>have to use the password part in NIS... I've used the
>local domain controller for that... or you could use
>Kerberos... or you could force key'd ssh only.
>
>If you're already comitted to Kerberos, you can use that...
>
>One of the things I like about NIS is its simplicity and
>it's ubiquitous nature in the Unix world.  However, it
>only scales to about 5,000 or so users (without some
>"smart" partitioning).  For larger than that, I'd use some
>form of LDAP.
>
>My personal opinion of LDAP is that it has its own
>share of headaches, especially in a heterogenous
>environment.  And LDAP wasn't designed to be secure.
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>  
>
(Finally getting back to this)  Thanks for your reply, I'll have to try 
it without the passwords (If I remember correctly I hear that passwords 
in NIS are stored in clear text and transmitted in clear text, I hear 
that NIS+ solves the 'transmitted in clear text' problem but won't be 
available as a server for Linux - what, if any, of this is true?)

More information about the Discuss mailing list