[plug] Authentication server

Nick Bannon nick at ucc.gu.uwa.edu.au
Wed Jan 21 18:25:02 WST 2009


On Wed, Jan 21, 2009 at 02:45:14PM +0900, Ian Kent wrote:
> NIS is simplest (you just continue to maintain your existing text files
> and use "make" in the NIS directory to update the maps) and least
> secure. The security issue is more for environments with untrusted users
> or that have machines exposed to the internet. Note that when using NIS
> clear text passwords will traverse the network your machines are on.

NIS doesn't use any clear-text in general, just for password changes -
there are workarounds:

http://www.linuxtopia.org/online_books/network_administration_guides/NIS_HOWTO_guide/rpasswdd.html

(or just only allowing passwords to be changed on the NIS master server,
or on "secure" networks.)

Part of what makes it simple is that you can configure the NIS clients
to talk to a particular server, or just let them them broadcast on the
local subnet.

> LDAP is generally a bit painful unless you can find a good
> administration app.

LDAP is worth learning, or Kerberos, the curse is that there are more
options in setting it up and it's harder to get to grips with the followup
problems, what do I back up? what can still work if the authentication
server is down? what if it's down permanantly?

Nick.

-- 
   Nick Bannon   | "I made this letter longer than usual because
nick-sig at rcpt.to | I lack the time to make it shorter." - Pascal




More information about the plug mailing list