Subject: Re: Centralized User and Password Management
To: None <firstname.lastname@example.org>
From: Tillman Hodgson <email@example.com>
Date: 11/24/2004 10:10:26
On Wed, Nov 24, 2004 at 05:03:41PM +0100, Pavel Cahyna wrote:
> On Wed, 24 Nov 2004 13:51:34 +0000, Tillman Hodgson wrote:
> > On Tue, Nov 23, 2004 at 10:51:26PM -0600, Thomas T. Thai wrote:
> >> I'm curious what people are using to centralize authentication and user,
> >> password, and services management. What are your thoughts on each? I'm
> >> aware of these Open Source solutions:
> >> - NIS (YP) - insecure
> >> - Hesiod + Kerberos
> > I tend to prefer Kerberos + NIS, with NIS run over an IPsec'd VLAN
> That is interesting. How do you configure IPsec for NIS? I thought about
> such solution also and it seemed almost impossible - doesn't the port
> used by RPC services change unpredictably?
Yes. The critical piece is the word "VLAN": I run RPC services over a
seperate subnet. The entire subnet uses IPsec in transport mode.
I was worried about NFS performance, but enabling compression in IPsec
really helps. Thre's some posts I did to the FreeBSD mail lists a few
months (google should be able to dig them up) where I benchmarked 105%
of wirespeed using simulated NFS UDP packets between relatively low-end
machines. Latency suffers, of course, but that may be a worthwhile
trade-off for your environment.
"If you would be a real seeker after truth, you must at least once in
your life doubt, as far as possible, all things."
-- Rene Descartes, _Discourse on Method_