Re: Indent authentication overloading

On Thu, Nov 18, 2010 at 1:01 PM, Josh Berkus <josh@agliodbs.com> wrote:
>
>> We use it. Do you have an alternative that doesn't lower security
>> besides Kerberos? Anti-ident arguments are straw man arguments - "If
>> you setup identd badly or don't trust remote root or your network,
>> ident sucks as an authentication mechanism".
>
> Actually, you're trusting that nobody can add their own machine as a node on
> your network.  All someone has to do is plug their linux laptop into a
> network cable in your office and they have free access to the database.

I think you need to give him a little more credit than that... From
the description he gave, I wouldn't be surprised if the networks he's
using ident on, he's got switch ports locked, limited server access,
etc...

His whole point was that in his locked down network, ident is *better*
that giving everybody "yet another password" they have to manage, have
users not mis-manage, and make sure users don't mis-use...

So, yes, ident is only as secure as the *network and machines* it's
used on.  Passwords are only as secure as the users managing them, and
the machines/filesystems containing .pgpass ;-)

a.

--
Aidan Van Dyk                                             Create like a god,
aidan@highrise.ca                                       command like a king,
http://www.highrise.ca/                                   work like a slave.