[OpenAFS] Distributing passwd
Derek Atkins
warlord@MIT.EDU
12 Jun 2003 17:39:09 -0400
Nathan Neulinger <nneul@umr.edu> writes:
> > Umm, I think _ALL_ of these have to do with storing the encrypted
> > password entry in the NIS database. As I said, we're using Kerberos
> > for authentication so you can leave the password entry as "None"
> > (e.g. '*' or 'x') in NIS... So, iterating over the NIS map doesn't
> > help you (no passwords to crack). You can't compromise a client
> > (again, we use Kerberos for authentication, not NIS)... So you still
> > have not provided any reasons not to use NIS for _account_
> > information.
>
> Yes, you used krb for auth, but do you prevent regular and
> passwordless auth from working?
Yes.
> If not, faking the master will get you root on the client.
Of course.. Similar with Hesiod.. or LDAP.. or....
> I'll freely admit, I use NIS even with these concerns, but they are still
> an issue if security is a high priority.
>
> -- Nathan
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available