[OpenAFS] with or without krb5 and openldap?
Derek Atkins
warlord@MIT.EDU
02 Aug 2003 11:38:02 -0400
Balazs GAL <balsa@rit.bme.hu> writes:
> Derek Atkins =EDrta:
>=20
> > Hesiod is not any less secure than LDAP. At least with Hesiod if you
> > deploy DNSSec you get complete security. OTOH, you do not require a
> > significant amount of security on hesiod info -- who cares about your
> > GECOS field? The real authentication security is from Kerberos.
>=20
> Don't forget that the unix like systems authorization is based on nss
> passwd and group fields. If you can spoof that, then you can gain any
> rights on the clients.
GRR... You clearly "do not understand". No, authentication does NOT=20
come from Hesiod (indeed, if you look up my Hesiod entry you wont even
see a passwd entry!). Authentication uses Kerberos. Please -- try to
spoof that!
Yes, you could perform UID spoofing, but you can do that with _ANY_
distributed passwd entry. The point is that "local UID" means nothing
-- the only thing that matters (at least on the network) is your
kerberos identity.
> balsa
-derek
--=20
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available