Bugtraq mailing list archives
Re: Replacement for NIS? (was Re: Obtaining NIS domainname from
From: afx () ibm de (Andreas Siegert)
Date: Mon, 17 Apr 1995 19:18:46 +0200 (CEST)
One's own domainname, nothing. But someone else knowing your domainname gives that someone a significant edge when it comes to breaking in to your machines.Given the more recent versions of ypserv I don't see any major security problems left with YP. i.e the patches which Sun (at least, and maybe HP if you believe their docs) produced which tells a ypserv and portmapper which machines they should talk to. Back before these patches one could extract yp maps from a random domain using ypxfer, or hand written code but this no longer works with the newer code. If there are other security hole left please enlighten me.
Any user on the legal hosts still can get encrypted passwords. No password aging and password quality control mechanism in heterogenious environments. The host based access control in ypserv can be easily circumvented by adding your own system to the local LAN and spoofing an address. The changes sure protect against attacks from remote sites, but local security is still very low. bye afx -- Andreas Siegert afx () ibm de / afx () barolo ak munich ibm com / AFX at IPNET Every time we've moved ahead in IBM, it was because someone was willing to take a chance, put his head on the block, and try something new - Thomas Watson, Jr.
Current thread:
- Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Scott Barman (Apr 12)
- <Possible follow-ups>
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 12)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Timothy Newsham (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Dale Babiy (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Benjamin Cline (Apr 15)
- Obtaining NIS domainname from Gatorbox Dennis Glatting (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Jon Peatfield (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Andreas Siegert (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Bob Beck (Apr 18)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Scott Barman (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Jim Thompson (Apr 16)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Ollivier Robert (Apr 18)