Subject: Re: Question about NIS/Kerberos (kind of off topic).
To: None <current-users@NetBSD.ORG>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
List: current-users
Date: 04/16/1997 01:53:34
>Although I haven't configured it myself, I think kerberos can be used for
>central password database administration. This supposedly provides a great
>deal of security. Perhaps someone else on the list can chime in here....
Kerberos doesn't solve the password database problem. Until recently, we
were using AFS Kerberos; now we're using Kerberos 5. In both cases we
still use YP to distribute our password database. Mind you, the password
field for our users is set to "-K-", so we don't distribute the actual
_passwords_ themselves. Some sites use Hesiod to distribute password
information instead of YP; I don't know much about it, so I can't comment
on it.
Using Kerberos just as a central password database doesn't get you that
much in the way of security (it gets you some, but not a lot). Using
Kerberos _clients_ everywhere so your passwords don't travel the net
in cleartext is where the big advantage of Kerberos comes in. Whether or
not you want to go that route is up to you.
--Ken