Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> > > Gatorboxes are shipped without a user password set.  [...]
> > > The user account can't change anything, but [...] [f]or example, if
> > > you have the GatorShare software running using NIS authentication,
> > > it will freely tell you what the NIS domainname is.
> What's wrong with knowing one's NIS domainname?

One's own domainname, nothing.  But someone else knowing your
domainname gives that someone a significant edge when it comes to
breaking in to your machines.

> > Maybe a good reason to join the crowd and not run NIS?
> I keep hearing people say this about NIS.

Deservedly, IMO.

> However, when one is running a lot of systems (including PC-NFS
> clients) it is fantastically easy to [adminster]

Yes, it is.  It's also a sieve in many respects when it comes to
security.  Lots of easy-to-administer setups are.

> For the moment, I have a client running NIS (not this one) and I have
> their router set up to not pass RPC services from the net (to the
> port for SunRPC).  So far, this seems to be OK.

You (or they) are lucky, so far.

> Are there problems with this?

Yes.  Blocking port 111 is not enough; it is far too easy to just fire
NIS requests at every port number in the appropriate range - there are
only a few thousand of them.  If you're running a mostly stock setup,
one can almost predict the port NIS will use a priori.

Unfortunately there's not much to be done about it, unless you're
willing to replace your yp daemons.

> Is there a "better" NIS [...]

I'd be interested in hearing about any such.  I'm almost ready to try
my hand at writing one myself, but so far the perceived need has not
yet been sufficient to make me allocate the time.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu