Subject: Re: Centralized User and Password Management
To: Tillman Hodgson <>
From: Greg A. Woods <>
List: netbsd-users
Date: 11/25/2004 16:50:50
[ On Wednesday, November 24, 2004 at 07:51:34 (-0600), Tillman Hodgson wrote: ]
> Subject: Re: Centralized User and Password Management
> I tend to prefer Kerberos + NIS, with NIS run over an IPsec'd VLAN
> (transport mode). I modify NIS maps have "krb5" or "*" in the password
> field so that they're invalid as Kerberos will handle the
> authentication. I use IPsec to provide secure confirmation that I'm
> talking to the right host and that the packet hasn't been modified in
> transit.

Indeed NIS over some kind of private network -- over an IPsec secured
VLAN if you want to keep your interfaces and wiring down to a minimum
and over IPsec anyway if you don't trust your local wiring -- is
reasonably secure.  There may be weaknesses in the software
implementations, but at least with a private network the inter-host RPC
traffic over the network infrastructure is reasonably secure.

If I'm not mistaken you also need to keep all your system clocks in sync
for NIS (or Kerberos) to be trusted....  Or am I thinking of NIS+?

> This gives a traditional "feeling" system that's very easy to set up and
> maintain (NIS) and provides both signle-sign-on and reasonable security
> (Kerberos and IPsec).

You should not need Kerberos for the "single-sign-on" feature if you're
using NIS.

Oh -- perhaps you mean that other meaning of "single sign on" -- the one
which actually reduces your overall security unless (and even sometimes
if) your users are extremely and consiously aware of all security issues
at all times.

Regardless given all the problems and complexities with Kerberos I'd
suggest that it should only be used in reasonably large organizations
that can truly dedicate the resources necessary to run a proper and
truly secure KDC and to do all the other things necessary to keep the
entire Kerberos infrastructure running.

Note that forcing users to type their passwords frequently (e.g. once
for every new window or session they open), can actually increase
overall security because it makes it much more likely that they will
actually memorize their passwords and not be so tempted write them down
anywhere.  This is especially true if you also force your users to
change their passwords frequently enough that they might otherwise tend
to want to write down the new password that they're afraid they'll
forget where if they use it many times right away on the day it's
assigned then even if that's a Friday (don't do that!) they'll still
remember it (or at least their fingers will) on Tuesday after a long
weekend away.

Of course there are those who will argue that even just having one
identical password everywhere is highly detrimental to security and
they're not exactly wrong either!  ;-)

Once upon a time I dreampt of enhancing the SysV-style separate shadow
password file system such that NIS (or something very much like it)
could be used just and only to manage the account information and so
that each machine could maintain a separate local password for some/all
users....  I.e. centralized user management _without_ single-sign-on.
The best of both worlds!  ;-)

						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <>
Planix, Inc. <>          Secrets of the Weird <>