Longish, but I get around to a point if you've got the patience.
(perhaps edumucational too :)

Quoting Alan Horn (ahorn@deorth.org):
> 
> On Tue, 16 Dec 2003, Chuck Yerkes wrote:
> >No, other choices where HESIOD for info, Kerberos for auth or,
> >post 1998, LDAP.  SASL authentication (or SSL/IPSec encrypted
> >paths - or even private networks for a cabinet of infrastructure)
> >and I can scale and offer what NIS offers, just better.
> 
> OF course, but you're an expert, many are not, and of the 'easy' solutions
> out there, NIS is generally one of the better ones. The real word
> intervenes as always.


One of the BEST bits of security in the last 10 years has been
ssh.

Why?  Because, for people using telnet/rsh, it's a drop in replacement
that requires no effort on the part of the user.  Very often the
choice is between:

    security                                convenience 
        |--------------------------------------|
                  ^ you are here (somewhere)

As I replaced ssh with rsh most of the users didn't really notice.
(loading known_hosts helped).  Mostly, they didn't have to change
their behavior to be TONS more secure.

https is similar.  A web user often doesn't even notice.


Where am I going with this?
  like many unix tools and subsystems, things like Kerbereros
do what they do pretty well.  With zero front end.  The Lotus
and Apple L&F suits put a fear into the MIT crowd as also
evinced by X11R6.

The Unix tradition of "no front end from the supplier" also helped.
X11 has, largely, failed in its promise.  I blame the code complexity
(see README).  It's only salvation has been the army of (my view)
kids who grew up with Macs and Windows GUIs and were learning
programming and seeing ORBs come along and so they wrote KDE and
GNOME with Look and Feel Dictates (there will be a FILE menu item
and QUIT will be located there).

That it kicked the Committee Designed Environment off of the desks
of the 2nd and 3rd wave of tech embracers says a lot for the power
of Open Source.


Back to that other MIT offering:  Athena and Kerberos.  Written in
the mid-late 80s, Athena was an environment with lots of neat
futuristic features.  instant messaging in Zephyr, chat room
technology in discuss,  Hesiod was a 3 routine interface to a
directory - they used DNS as the back end as a highly scalable
interim until a Real Directory came along.

Kerberos has survived.  And it looks like it may actually continue
via Microsoft (albeit changed).

While SSH is outstanding for communications between machines that
don't know each other, Kerberos is outstanding to "talk" securely
between machines that *are* related and know each other.

But it's a huge effort to set up.  Obtuse commands, documentation
that gets sidetracked in greek symbols and high math of the principle
of it.  Very little practical:
- Create a host key using the add new key command (ank) and move
  it to this machine and put it HERE.

My SSH startup scripts look for host keys and, on first boot when
not found, MAKES them.

For a new user, create a key with THIS command and do this.
Then add privs for this user with THIS command.


After 15 years, it may be too late.  Kerberos is handy for remote
terminals (ssh/rsh/telnet) and for some POP (eudora). However,
"kerberizing" apps is perhaps not that complex, but it's only
explained and documented by people who's first language is the
Calculus.  See also "Hello World" in X11R3.


Hell, a CGI module that speaks over https would do a ton to make it
simple to setup and run a kerberos environment.  Once you have it
running easily and once you have fairly straightforward routines to
"kerberize" something, you get a chance at a groundswell.


NIS is butt simple to setup and run.
Why?  "make" and "ypinit" are all you need.  Maybe a little
nsswitch.conf these days.

People use NIS because, as you said, it's no effort for someone
to setup while reading 2 pages of instructions.

But it's ONLY about front end.


Presume ssh (and get it into the OSs base package), use a Makefile
with, perhaps, a curses front end (that can also take context free
pokes from a web interface) and it can be almost as easy as NIS
to setup for authentication.