authentication question

K. Richard Pixley rich at noir.com
Thu Mar 18 04:33:41 UTC 2004 

NIS has several problems.  First, the only way I can see to get samba to 
authenticate via NIS is to convince all the windows clients to send 
their passwords in the clear.  That's bad for two reasons, I have to 
touch each and every windows client, and the passwords cross the network 
in the clear.  These days that's not acceptable.

Second, NIS sends it's encrypted passwords over the wire.  This means 
that anyone with a sniffer can snag a few and start running dictionary 
password crackers.  NIS+ fixes this, but apparently at a high 
administrative cost.  IPSEC might fix this too.  The situation is moot 
in this case, though as when windows clients send encrypted passwords, 
they are doing essentially the same thing.  And that's the best windows 
has to offer right now.

--rich

Ryan Golhar wrote:

> I would suggest using NIS.  I currently have about 20 linux hosts that
> users can use.  All users are authenticated via NIS.  Its pretty easy to
> set up and run...
> 
> -----
> Ryan Golhar
> Computational Biologist
> The Informatics Institute at
> The University of Medicine & Dentistry of NJ
> 
> Phone: 973-972-5034
> Fax: 973-972-7412
> Email: golharam at umdnj.edu
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of K. Richard Pixley
> Sent: Wednesday, March 17, 2004 7:52 PM
> To: General Red Hat Linux discussion list
> Subject: authentication question
> 
> 
> I'm at a loss for how to do authentication well for a small group of 
> linux machines.
> 
> We have several linux hosts, all of which run samba, and all of which 
> should use a single password per user, or at least, a single password 
> change program which changes all passwords.  Samba really wants to use a
> 
> domain server or to keep it's own password database separate from the 
> unix passwords.
> 
> Any suggestions on how to get these all authenticated off the same
> database?
> 
> The only thing I can see to do is to turn one into a domain controller 
> and have everything else authenticate off that.  Are there any other 
> alternatives?
> 
> --rich
> 
>

More information about the redhat-list mailing list