I was looking arround for this, and I found that Kerberos uses DES encryption, John (on my sytem) reports it rather weak:
Benchmarking: Standard DES [24/32 4K]... DONE Many salts: 151603 c/s real, 169200 c/s virtual Only one salt: 152806 c/s real, 155607 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 5750 c/s real, 5940 c/s virtual Only one salt: 5630 c/s real, 5721 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 3092 c/s real, 3752 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 222 c/s real, 227 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 143462 c/s real, 153271 c/s virtual Long: 377600 c/s real, 394979 c/s virtual Benchmarking: NT LM DES [24/32 4K]... DONE Raw: 1080115 c/s real, 1125120 c/s virtual I'm now using MD5 passwords in NIS. Yet it seems the consensus that Kerberos is secure, am I missing something? On Fri, 2003-09-12 at 15:00, Tillman Hodgson wrote: > On Fri, Sep 12, 2003 at 11:35:16AM +0200, Guy Van Sanden wrote: > > On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > > > The rough instructions are fairly simple: > > > > > > * Set up Kerberos and ensure you have a working realm > > > * Set up NIS, but set all the passwd fields to something that doesn't > > > map to a real password (I like 'krb5', others like '*') > > > > > > That's about it. It works because authentication in a Kerberized world > > > doesn't check the password field in the NIS maps anyway (or the > > > /etc/master.passwd file for that matter). Your non-Kerberos app's will > > > break for users that aren't local, but I consider the incentive to > > > replace them a benefit :-) > > > > Do you have some links to websites or so that you used to set this up? > > Not really. Kerberos and NIS are both in the Handbook, and as I > mentioned above I just changed the /var/yp/master.passwd that NIS was > working off of to have 'krb5' in the password field. > > A quick bit of Google spelunking dug up some references but no > "HowTos". The RedHat Security Guide mentions it explicitly in the NIS > section, for example. > > > I'm very interested in this setup, with the added complication that the > > clients are Linux (and Windows using SAMBA), yet the server is FreeBSD > > (5.0). > > Normally NIS is a pain between different Unix implementations (due to > the different passwd designs such as DES vs. MD5). When using Kerberos > to handle the authentication, those problems go away. On the other > handle, you get to learn how to install NIS and Kerberos on multiple > operating systems :-) > > -T _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
