On Sun, Apr 07, 2002 at 10:04:01PM -0500, Rob VanFleet wrote: > On Sun, Apr 07, 2002 at 07:39:43PM -0700, Luca Filipozzi wrote: > > Two choices for authentication (passwd + shadow): > > (1) Kerberos > > Never used it. Can't advise you. > > I've looked at Kerberos, but at least a cursory glance at leaves the > impressions that it is ridiculously complicated to set up and requires > multiple servers. If someone has used it and can correct me, please do.
I suspect that if all your boxes are running Debian that your life will be made easier by all the Debian kerberos packages. > > (2) LDAP > > Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do > > the equivalent of NIS but securely. > > Without using SSL or Kerberos, would LDAP still be sending passwords > across the net in plain text? Two choices (I like lists :) ): (1) use libpam-ldap: libpam-ldap sends the password to the ldap server. If not using TLS/SSL, then it is sent in the clear. By sending the password to the server (rather than using a salt+hash), you can use whatever hash algorithm you want on the server. The server takes the password and does the hashing locally. So, you *must* use TLS/SSL if you are using libpam-ldap, imo. (2) don't use libpam-ldap: You You don't have to use libpam-ldap. You could just use libnss-ldap and have the ldap server transfer the password hashes to the workstations in the clear ... which is equivalent to NIS. You could also use libnss-ldap with SSL/TLS so that the hashes are transferred more securely (equivalent to NIS+). Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]