Re: Sparc Solaris NIS client Linux NIS server


"Chris Cox" <ccox_nopenotthis@xxxxxxxxxxx> wrote in message
news:11q13s52t4hoe4f@xxxxxxxxxxxxxxxxxxxxx
> Nico Kadel-Garcia wrote:
>> "Chris Cox" <ccox_nopenotthis@xxxxxxxxxxx> wrote in message
>> news:11ps8mre0vnscca@xxxxxxxxxxxxxxxxxxxxx
>>
>>>If the number of accounts are small (not in the 10,000's) then
>>>managing users with NIS is much simpler than with .. let's say...
>>>LDAP. If you have an existing Windows infrastructure, it's
>>>fairly trivial to auto create NIS users based on Windows
>>>account data and tie the password back to the Windows
>>>password server (which may bother Unix purists... but does
>>>work.. and if you've got the ugly animal there anyway...
>>>might as well use it).
>>
>> Bullwinkle, that trick *NEVER* works. The NIS stored password information
>> is
>> very distinct from the password management used for Windows or even
>> Samba.
>> LDAP works much, much better for providing single-source authentication.
>
> Whatever. I do this at multi-million dollar companies for a living.
>
> LDAP is a generic framework... the password field that's there
> is for clear text only. Sure people jam hashes into it.. .but
> that's a whole other story.

Hardly. Given the structures for prefixing the password fields with the
various flags for MD5, SSHA, crypt, and other passwords, it's pretty clear
that the password field is flexibly designed to handle far more than
unencrypted clear-text passwords. It's a pretty basic functionality.

> Utimately, I use NIS much like LDAP. It hold account
> data. Authentication is a different piece that can be
> handled in plethora of ways. I'm just pointing out that
> if you've got the dreaded Windows beastie on the network,
> might as well use it for the auth piece.

I can see that. I like LDAP now for avoiding dealing with the Windows
authentication whackiness and having a single-source of both the
configuration data and the authenticaiton, fairly easy to integrate into
quite a few setups. I wish it were more standardazied, but that seems to be
evolving out of its broad deployment in Linux.

>> Making SSH keys network accessible is..... asking for trouble. It's
>> almost
>> as bad as putting a post-it note on your keyboard with your password on
>> it.
>
> Sigh.... You aren't easily satisifed are you? It's as
> secure as LDAP... is that ok now?

See above. A public SSH key is only as secure as the private passphrase. Who
enforces private passphrases on SSH keys, or even enforces good quality key
passphrases?

> The point is that you have to assume some things always. Having
> a computer in a location where more than one person can
> get to it is EQUALLY as insecure... true?

No, it's really not. Security is a problem, but it's one of layers. By
correctly handling the low-haning fruit on the security tree, you can
successfully force the little apple thieves to go get a ladder, and that's
more likely to be noticed and easier to deal with. Where to balance work
added by doing good security vs. risk of lost work or data from poor
security is a fascinating decision.

> Post-it notes :) You remind me of our security team.

Hey, I've done some significant security work. (Also for some big companies,
though never as a direct member of the security team.) I particularly loved
explaining to the security guys that setting a BIOS password to avoid
booting from the CD drive is easily beatable by crashing the machine 3 times
in a row, causing the BIOS to reset to default values and disabling the
serial console access they considered so vital to resetting BIOS values
remotely.

They..... weren't happy about that.


.

Relevant Pages

  • Re: Sparc Solaris NIS client Linux NIS server
    ... >>If the number of accounts are small then ... >>fairly trivial to auto create NIS users based on Windows ... > LDAP works much, much better for providing single-source authentication. ...
    (comp.os.linux.setup)
  • Re: Cant open pictures that are attached to emails in OE6
    ... Norton Add-ons) then IMMEDIATELY enable the Windows Firewall (Start | ... Confirm that all NIS components are enabled and that the Windows Firewall ... Install any Critical Security Updates offered ... jpg or jpeg, everything else opens fine. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Trying to replace NIS+
    ... yet are concerned with security issues?! ... > then an LDAP to LDAP/AD syncronization conversion. ... > looking like a NIS server, ...
    (comp.unix.solaris)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux.misc)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux)