This is a delayed summary, since I was expecting a few more responses
but not much on this one.
The bottom line for me is that there are security holes in NIS and depending
on how paranoid one is, should select accordingly between NIS and
NIS+. I still feel that NIS+ is an overkill for small environments but
unfortunately we live in a dangerous world.
I am grateful for the thoughtful responses to the following three managers:
Birger Wathne Birger.Wathne@getronics.no
Jochen Bern firstname.lastname@example.org
>From email@example.com Wed Nov 10 07:36:26 1999
With NIS you get the encrypted passwords in a publicly readable NIS
map, so you loose the security you got with /etc/shadow where the
passwords were not readable by ordinary users. With NIS any user can
ypcat passwd and save the output to file. And then run crack....
Besides, if you don't have a properly set up firewall, then anyone on
the net who can guess your NIS domain name can connect to your NIS
servers and fetch the maps...
With NIS+ it depends on the authentication level. If it runs at the
lowest level (or NIS compatibility mode) security is no better than
with NIS. In a pure NIS+ environment you have access bits on each
table, row column and cell. So the encrypted passwd field in the passwd
map will only be readable to admin users and the user who owns the
password. Ordinary users will not see other users encrypted
passwords. The NIS+ servers also requires that the client machines
authenticate themselves before they can do NIS+ lookups.
>From firstname.lastname@example.org Thu Nov 11 02:29:13 1999
The key point you are missing here is not the existence of shadow or
otherwise, it is that NIS does all transfers plain text over the wire.
Now on your average host the fact that UNIX uses relatively weak
password encryption algorithm's is compensated for /etc/shadow, only
root can read this field and hence the encrypted passwords. With NIS
you can type ypcat passwd and you get the whole thing, now unless NIS
is rebuilt with some kind of encryption, then it does not matter if
you put the passwords in shadow or not because I could just type ypcat
shadow and I got them. So to make this secure you need to encrypt the
NIS exchanges, well guess what NIS+ is, plus some sensible performance
enhancements as NIS does not scale well.
From: Jochen Bern <email@example.com>
> -When running NIS (not NIS+) password info is transfered between master-slave
> but the transfers move around scrambled passwords (shadow passwords) correct?
> - What vulnerabilities is exactly NIS open to? By reading the docs NIS+
> is more secure, but to what type of attacks?
Off the top of my head: Cracking passwords (noone ever proved the
encryption to be a strong one ...); Leeching information from
offsite ("fixed" by /var/yp/securenets in NIS, *if* you remember
to maintain it); Server imposters (the Texas Agriculture something-
orother U, aka TAMU, had an incident where someone pirated a fast
machine and used it to reply to NIS "ypmatch someuserid passwd"
style requests *before* the actual NIS server, with a reply that
made the clients think it's a valid UId-0 account; since the request
type of a "ypcat passwd" is different, there was no trace of this to
be seen unless you *knew* the bogus userid, or found bogus processes/
logins red-handed; fighting this incident resulted, among other
things, in the packetman software).
I have been looking in the archives and docs for NIS vs NIS+
comparisons but didnt find one one addressing the follwoing specific
-When running NIS (not NIS+) password info is transfered between
master-slave but the transfers move around scrambled passwords (shadow
- What vulnerabilities is exactly NIS open to? By reading the docs
NIS+ is more secure, but to what type of attacks?
SM&A, Space Sciences Division
SOHO ESA/NASA Project Scientist Team
Laboratory of Astronomy & Solar Physics
NASA Goddard Space Flight Center
Bldg. 26, G-1, Code 682.3
Greenbelt, MD 20771
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT