Subject: Re: Centralized User and Password Management
To: None <>
From: Tillman Hodgson <>
List: netbsd-users
Date: 11/24/2004 07:51:34
On Tue, Nov 23, 2004 at 10:51:26PM -0600, Thomas T. Thai wrote:
> I'm curious what people are using to centralize authentication and user, 
> password, and services management. What are your thoughts on each? I'm 
> aware of these Open Source solutions:
> - NIS (YP) - insecure
> - Hesiod + Kerberos

I tend to prefer Kerberos + NIS, with NIS run over an IPsec'd VLAN
(transport mode). I modify NIS maps have "krb5" or "*" in the password
field so that they're invalid as Kerberos will handle the
authentication. I use IPsec to provide secure confirmation that I'm
talking to the right host and that the packet hasn't been modified in

This gives a traditional "feeling" system that's very easy to set up and
maintain (NIS) and provides both signle-sign-on and reasonable security
(Kerberos and IPsec).


Painted cakes are real, too.