tech-security: Re: pseudo-shadowing of passwords with ypserv?

Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Kevin P. Neal <kpneal@pobox.com>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
List: tech-security
Date: 10/12/1998 01:27:18

>Hesiod (alongside Kerberos). 
>
>Works at NCSU, handling over 50,000 user accounts. It piggybacks inside DNS.
>
>They've got systems running as realm clients on machines as diverse as
>SPARCstations, Dell NT boxes, Mac/PPC boxes, etc. It's pretty sweet. 

The problem is the Hesiod distribution only comes with the Hesiod
library routines which replace getpw*; they don't tell you how to put
those routines _in your operating system_, which is the really tricky
part.

Obviously, people have done this, but they either don't share their
work or it's in a non-obvious place.  I spent a couple of days
looking at Hesiod, and this was the sticking point.  I could have
spent the energy to shove it into shared C libraries on different
operating systems, but I already spent most of my energy getting
Kerberos everywhere, and it just didn't seem worth it.  We're a
big Kerberos/AFS shop, but we still use YP.

A few other comments, as long as we're talking about Kerberos:

>Yep, but it at least does one thing well: authentication.  It's not
>easy to administer, it's not terribly easy for users to understand,
>and it doesn't handle administrative information (GECOS info,
>username, UID, etc.), but at least it manages authentication well.

I don't quite understand what people mean by "users don't understand
Kerberos".  Sure, they don't, but they don't understand 95% of the
things they use, and that generally doesn't stop them :-)  For
example, they don't understand YP, but they use it just fine.

In our environment you walk up to a workstation, type in your
password at the login prompt, and you don't have to type in your
password again for that day.  You can use telnet, rlogin, rsh, ftp,
and they all work like you're used to ... except that you don't
have to type in your password again.  Even our dumbest users don't
have a problem with this.

As for DCE ... I don't know of any DCE ports to NetBSD.  It's a big
nasty mess, and I've been staying away from it.  Especially since
it's lagging in important Kerberos developments, I don't think
it's very relevant nowadays.

--Ken