After the untimely death of NIS (née YP) and NIS+ has there been any work in a distributed authentication (and not only) system under Unix beyond Kerberos? It seems that now you “distribute accounts by ansible” which makes an old hand like me cringe. LDAP has been mentioned to me but nothing lightweight which doesn’t stink of committee meetings or mis-guided devops has turned up since?

@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️

@david I have nothing against running a Tandem for authentication, mind you :flan_set_fire:

Kerberos would be my choice now but #OpenBSD has taken it out of base so that doesn’t help… the three domains don’t scare me but LDAP: why LDAP? Not flaming, I really cannot fit LDAP into Unix (the philosophy).

@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.

LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.

1. There really isn't anything else to securely distribute this information.

1/2

@david @cynicalsecurity
This was before I joined the project, but I read all about it (and cried because I was using kerberos).

It was removed because it, like openssl, was a big glob of crypto code that folks generally didn't dig into. Heatbleed had just happened, so they felt like keeping another big scary crypto thing around that no one was scrutinizing was bad.

Follow

@kurtm @cynicalsecurity

Honestly, that felt like a knee-jerk reaction (libressl).. and even more-so with Heimdal. Both of those projects get EXTENSIVE scrutiny by being used so many places and looked at by security researchers and even government agencies.. which yes.. that last group definitely has a complicated history with disclosure.

There's this bit too with keeping the GSSAPI KeyExchange code out of openssh... but at least this is consistent if they yoinked Heimdal.

· · Web · 1 · 0 · 0

@kurtm @cynicalsecurity

Disclosure: I wrote the MIT Kerberos implementation of the RC4-HMAC windows interoperability crypto system... so I am huge fanboi of Kerberos, and MIT Kerberos specifically ;)

@david @kurtm I was never a Kerberos fanboy because, when I first encountered it in 1991, it was in the hands of rabid computer scientists who refused to describe or explain their setup and wanted sole control over it. So we went with NIS across multiple Unix systems, yes, I know…

My concern back then with Kerberos was the “all the eggs in one basket” and how the whole TGT process was unnatural within a Unix context: “why do I have to get a ticket again even though I am logged in?”

@david @kurtm back then having a single server with a weird setup for a secondary felt dangerous, for example. Abandoned then and never revisited which, I agree, is a mistake on my part. Then Windows AD came with its own brand of Kerberos + LDAP and I just screamed in horror :flan_XD:

@cynicalsecurity @kurtm

That was definitely my first impression of kerberos too.. Like 'things need to VOLUNTARILY check this..that isn't security!' And that is true-ish for local things, like emacs isn't going to check this before it opens a file.

What it does for me though is means I can SSH (and not need to manage host keys even!), or GIT, or email, or webpages and NOT need to store my plaintext equivalent password all of those places. Is it overkill for me? almost certainly yes!

@david @kurtm yes, distributed authentication is what I want but Kerberos back then was really heavy not to mention that the secondary was not a real server and if the primary went down all Hell broke loose.

Ideally I’d appreciate the NIS/YP capability of distributing (simple) databases of information beyond authentication, for example:
* mail aliases,
* anti-spam blocklists / allowlists,
* proxy settings.
Stuff which needs to be the same across many systems, can change frequently (or not), and you are allergic to centralised script systems like ansible :flan_laugh:

Technically I have nothing against ansible to push configurations onto pristine machines but everything else is not really a shell-script job, is it? :flan_set_fire:

Sign in to participate in the conversation
Cross Family's Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!