Bugtraq mailing list archives
Re: Replacement for NIS? (was Re: Obtaining NIS domainname from
From: beck () cs ualberta ca (Bob Beck)
Date: Tue, 18 Apr 1995 16:23:45 -0600 (MDT)
[.. NIS sucks dead bunnies through bent straws ..][.. But Wait, doesn't new NIS not suck? .. ]Any user on the legal hosts still can get encrypted passwords.
This one is still a problem is most cases.. but see below.. It depends on if you trust of your users, and if you don't, at least to this degree, you have other problems.
No password aging and password quality control mechanism in heterogenious environments.
You can do this decently with anlpasswd, which includes a Yellow Plague (NIS) backend to do the passwd changes. all you have to do is replace the yppasswd/passwd commands. Works reasonably well in our heterogenous environment (A maze of twisty little unix versions, all different)
The host based access control in ypserv can be easily circumvented by adding your own system to the local LAN and spoofing an address.
If I can add my own system to the local LAN, I can just sniff packets and grab the plaintext of them as they cross the net, not like it's even hard, so unless all your stuff is encrypted the fact that you can grab a Yellow Plague map by plugging in another machine is almost meaningless, If you can plug in another machine, you're hosed anyway, with or without Yellow Plague. Not to mention, that even if your systems are very well looked after, chances are very good there is at least one or two holes your vendor has blessed you with that will allow a local user to get root. (If they're not very well looked after you can just about guarantee it). Meaning they may be able to sniff the net anyway.
The changes sure protect against attacks from remote sites, but local security is still very low.
My NSHO, It depends if you do or don't consider equivalent access. While not impossible, it's still very difficult to set up a large scale shared environment with a network where the physical access problems, or problems with protocols themselves which are designed for a trusted environment don't make it difficult or impossible to do it if you do not have any degree of trust to your users. Realisticly, if you want to run Yellow Plague, you're probably already talking about a relatively "trusting" environment, with a number of hosts. You're probably exporting filesystems, sharing a likely physically insecure network, stuff like that. If you've already got things like that, and you're worried about the (in)security level of Yellow Plague, you've got other equivalent things to worry about,so you have to decide that either: 1) You have some degree of trust and conditions of use on your users. 2) If you don't you don't run YP (NIS), but at the point where you decide you're not gonna run YP you've got a lot of other things you shouldn't be doing too. Otherwise, worrying about YP is just locking a door and leaving the windows wide open (with flashing lights and signs pointing to them :)
Current thread:
- Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Scott Barman (Apr 12)
- <Possible follow-ups>
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 12)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Timothy Newsham (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Dale Babiy (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Benjamin Cline (Apr 15)
- Obtaining NIS domainname from Gatorbox Dennis Glatting (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Jon Peatfield (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Andreas Siegert (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Bob Beck (Apr 18)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Scott Barman (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Jim Thompson (Apr 16)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Ollivier Robert (Apr 18)