Subject: Re: Question about NIS/Kerberos (kind of off topic).
To: Ken Hornstein <>
From: Rob Deker <>
List: current-users
Date: 04/16/1997 19:22:12
On Wed, 16 Apr 1997, Ken Hornstein wrote:

> Kerberos doesn't solve the password database problem.  Until recently, we
> were using AFS Kerberos; now we're using Kerberos 5.  In both cases we
> still use YP to distribute our password database.  Mind you, the password
> field for our users is set to "-K-", so we don't distribute the actual
> _passwords_ themselves.  Some sites use Hesiod to distribute password
> information instead of YP; I don't know much about it, so I can't comment
> on it.
I believe that hesiod could easily be used for this. We use it heavily at
my workplace for things like mail and amd. I unfortunately haven't had 
the chance to sit and talk at length w/ the guy who installed it all (my
boss) so I can't be of much help technically....sorry. I would say on general
principle that hesiod would be the better choice though.

> Using Kerberos just as a central password database doesn't get you that
> much in the way of security (it gets you some, but not a lot).  Using
> Kerberos _clients_ everywhere so your passwords don't travel the net
> in cleartext is where the big advantage of Kerberos comes in.  Whether or
> not you want to go that route is up to you.
true true...kerberos (or any other authentication system for that matter)
does NO good if you cleartext your password everywhere...


"Off the keyboard, through the CPU, | 
out the transceiver, down the rj45  | Systems Engineer
line, across the router, through    | 
the Hub, out the gateway.           |  
        Nothing but net."           |