On Wed, Mar 05, 2008 at 04:03:03PM +0000, Darren J Moffat wrote: > Kyle McDonald wrote: > > So is this just the 'local files' version of what I'd already have if I > > was storing my userinfo in NIS+? > > Correct, with the exception that Nico already pointed out that it is > only the DES creds and not the extended dh192-o and dh640-0 those are > only supported in NIS+
Files and NIS support 192 bit public keys, while NIS+ and LDAP support 640 and 1024 bit keys. It gets more complicated too. The mech_dh GSS mechanism supports all three, source code-wise, but we only ship the .so's for 640 and 1024 bit keys, so if you use the files and/or NIS publickey backends then you're very limited in what you can do (e.g., you can't use these for FTP, SSH, ...). In *all* cases you're limited to DES session keys, and the mech_dh protocol, IIRC has issues. It's a very simple protocol where the initiator sends a session key encrypted in a key derived from the DH key for the pair of peers (g^xy mod p), and there's no protection against reflection attacks nor replays, which is good enough for NFS w/ RPCSEC_GSS and SSHv2, where the app protocol effectively deals with those, but not good in the general case. I've not looked at the X11 AUTH_DH thing, but I assure you that unless you're sharing a display with multiple users then anything other than cookies is simply not worthwhile. Nico --
