[H-GEN] kerberos or nis+

Sun Feb 27 18:11:49 EST 2000

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

> I have the need to have user accounts for a variety of uses on a bunch of
> machines outside a secured network. This includes things like mail, proxy
> auth, password authentication and a few other minor things.
> I'm looking at either using nis+ or kerberos from a openbsd authentication
> server. What are peoples general suggestions? Which is more secure?

I'm not sure on the security levels of kerberos, but I believe that nis+ is 
quite secure (feel free to lambast me on this point if you wish). Part of the 
niceness of nis+ is that you can use either extended Diffie-Hellman keys or 
Secure RPC key pairs for authentication, and in conjuntion with acl support in 
solaris you can manage access down to single file level. 

> Kerberos support as far as I can tell under Linux isn't too crash hot, but
> it's fairly well supported under OpenBSD. Whereas NIS+ is the opposite. 
> Opinions? The password system may also make it's way onto some Solaris boxes.

The advantage of kerberos over nisplus is that there is an OSS version of 
kerberos, but nisplus is still firmly not even SCSLd. This should change with 
the release of the source code for Solaris 8 (anybody else ordering a copy?). 
Part of the problem is that while Sun apparently wanted to make nisplus an open 
standard, there wasn't any internal support to drive the project - a bummer.

Well, that's enough marketroid speak from me - go with kerberos until there's a 
free, open implementation of nisplus. 

cheers,
James
--
Frontline Support Engineer           828 Pacific Highway 
Sun Microsystems Australia Pty Ltd   Gordon NSW 2072
             Support Helpline: 1-800-555-786

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.