authentication question
K. Richard Pixley
rich at noir.com
Thu Mar 18 04:33:41 UTC 2004
NIS has several problems. First, the only way I can see to get samba to
authenticate via NIS is to convince all the windows clients to send
their passwords in the clear. That's bad for two reasons, I have to
touch each and every windows client, and the passwords cross the network
in the clear. These days that's not acceptable.
Second, NIS sends it's encrypted passwords over the wire. This means
that anyone with a sniffer can snag a few and start running dictionary
password crackers. NIS+ fixes this, but apparently at a high
administrative cost. IPSEC might fix this too. The situation is moot
in this case, though as when windows clients send encrypted passwords,
they are doing essentially the same thing. And that's the best windows
has to offer right now.
--rich
Ryan Golhar wrote:
> I would suggest using NIS. I currently have about 20 linux hosts that
> users can use. All users are authenticated via NIS. Its pretty easy to
> set up and run...
>
> -----
> Ryan Golhar
> Computational Biologist
> The Informatics Institute at
> The University of Medicine & Dentistry of NJ
>
> Phone: 973-972-5034
> Fax: 973-972-7412
> Email: golharam at umdnj.edu
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of K. Richard Pixley
> Sent: Wednesday, March 17, 2004 7:52 PM
> To: General Red Hat Linux discussion list
> Subject: authentication question
>
>
> I'm at a loss for how to do authentication well for a small group of
> linux machines.
>
> We have several linux hosts, all of which run samba, and all of which
> should use a single password per user, or at least, a single password
> change program which changes all passwords. Samba really wants to use a
>
> domain server or to keep it's own password database separate from the
> unix passwords.
>
> Any suggestions on how to get these all authenticated off the same
> database?
>
> The only thing I can see to do is to turn one into a domain controller
> and have everything else authenticate off that. Are there any other
> alternatives?
>
> --rich
>
>
More information about the redhat-list
mailing list