Move from NIS to kerberos, if you have C2 installed from Martin Mokrejs on 1997-08-13 (tru64-unix-managers)

From: Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
Date: Tue, 12 Aug 1997 19:13:07 +0200 (MET DST)

I'm sending this mail to the list because I think it could be usefull.
I hope NIS is dead. Kerberos has so many usefull features, one of them is,
that password database is maintained on master server, but is copied to
slaves. Like on master nameservers, _NOT_ like on NIS masters.
So you have as many copies of it as you want on different machines. It's
copied in encrypted form, so another diffence to NIS.

At this site is complete documnentation to Digital Unix 4.0.
http://www.pdc.kth.se/doc/osf/osf40/HTML/AA-Q0R2D-TET1_html/TOC.html

I know that BASE security isn't the same BASE on older versions ;-) Look
at that page.

With C2 you have local security, with kerberos you get also network
security.

Run kerberos4! We have it, so most users doesn't have a problem, even if
C2 database gets mad, passwords are lost, they still have their passwords
in kerberos. Until someone deletes /etc/passwd, where is almost
nothing, we have no problem. Only root needs it's password from C2
database. Other users? They must just be in kerberoses database, that's
all!

Kerberos 5 doesn't have C2 support. Kerberos 4 HAS support for SIA. It's
not full suport, but it works.

If you have NIS, listen: Every day cron sends /etc/passwd (of course
without passwords) to some mirror hosts. Every hour is copied password
database(kerberos) to our mirrors, over encrypted channel. It works like
when backing up nameservers.

And, like with NIS, users have one password and one username for domain,
same UID not needed. Those wise use encryption features, tickets etc.

Installation takes about 10 minutes with compiling. Kerberos 4 is not
export restricted, now appears one version compatible with Kerberos5 with
GSS_API's etc.

Space requirements?

bash-2.01# du -k /usr/athena
5090 /usr/athena/lib
7887 /usr/athena/bin
8 /usr/athena/include/sys
92 /usr/athena/include
5081 /usr/athena/libexec
1752 /usr/athena/sbin
143 /usr/athena/man/man1
64 /usr/athena/man/man3
16 /usr/athena/man/man5
68 /usr/athena/man/man8
155 /usr/athena/man/cat1
67 /usr/athena/man/cat3
15 /usr/athena/man/cat5
88 /usr/athena/man/cat8
627 /usr/athena/man
76 /usr/athena/info
20613 /usr/athena
bash-2.01#

For info and sources of Kerberos4, look at http://www.pdc.kth.se/kth-krb/

I run it currently on OSF 4.0B with C2 enabled, and it works very well.

Martin
mmokrejs_at_natur.cuni.cz
Received on Tue Aug 12 1997 - 19:27:39 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:36 NZDT