ADDENDUM- SUMMARY: NIS security

From: George Dimitoglou (george@esa.nascom.nasa.gov)
Date: Tue Nov 30 1999 - 16:01:01 CST


Fellow Managers -

Dave Foster <foster@dim.ucsd.edu> also contributed the following:

 There are two general misunderstandings stated here about NIS security:
 1) You are *not* vulnerable to people offsite using ypcat to get password
    information, provided that you have set up a reasonable implementation
    (an implementation that uses the securenets file to limit access to the NIS
     maps to particular hosts and/or subnets) of NIS and are using the securenets
     file to limit access to NIS info.
 
 2) For each client, you can explicitly list the NIS servers to bind to,
    preventing another system from masquerading as an NIS server.

George

>
> Fellow managers:
> This is a delayed summary, since I was expecting a few more responses
> but not much on this one.
>
> The bottom line for me is that there are security holes in NIS and depending
> on how paranoid one is, should select accordingly between NIS and
> NIS+. I still feel that NIS+ is an overkill for small environments but
> unfortunately we live in a dangerous world.
>
>
> I am grateful for the thoughtful responses to the following three managers:
> Birger Wathne Birger.Wathne@getronics.no
> Ken robsonk@ebrd.com
> Jochen Bern bern@penthesilea.uni-trier.de
>
> ANSWERS:
> From bern@penthesilea.uni-trier.de Wed Nov 10 07:36:26 1999
> With NIS you get the encrypted passwords in a publicly readable NIS
> map, so you loose the security you got with /etc/shadow where the
> passwords were not readable by ordinary users. With NIS any user can
> ypcat passwd and save the output to file. And then run crack....
> Besides, if you don't have a properly set up firewall, then anyone on
> the net who can guess your NIS domain name can connect to your NIS
> servers and fetch the maps...
>
> With NIS+ it depends on the authentication level. If it runs at the
> lowest level (or NIS compatibility mode) security is no better than
> with NIS. In a pure NIS+ environment you have access bits on each
> table, row column and cell. So the encrypted passwd field in the passwd
> map will only be readable to admin users and the user who owns the
> password. Ordinary users will not see other users encrypted
> passwords. The NIS+ servers also requires that the client machines
> authenticate themselves before they can do NIS+ lookups.
>
>
> From robsonk@ebrd.com Thu Nov 11 02:29:13 1999
> The key point you are missing here is not the existence of shadow or
> otherwise, it is that NIS does all transfers plain text over the wire.
> Now on your average host the fact that UNIX uses relatively weak
> password encryption algorithm's is compensated for /etc/shadow, only
> root can read this field and hence the encrypted passwords. With NIS
> you can type ypcat passwd and you get the whole thing, now unless NIS
> is rebuilt with some kind of encryption, then it does not matter if
> you put the passwords in shadow or not because I could just type ypcat
> shadow and I got them. So to make this secure you need to encrypt the
> NIS exchanges, well guess what NIS+ is, plus some sensible performance
> enhancements as NIS does not scale well.
>
>
> From: Jochen Bern <bern@penthesilea.uni-trier.de>
> > -When running NIS (not NIS+) password info is transfered between master-slave
> > but the transfers move around scrambled passwords (shadow passwords) correct?
>
> Yes.
>
> > - What vulnerabilities is exactly NIS open to? By reading the docs NIS+
> > is more secure, but to what type of attacks?
>
> Off the top of my head: Cracking passwords (noone ever proved the
> encryption to be a strong one ...); Leeching information from
> offsite ("fixed" by /var/yp/securenets in NIS, *if* you remember
> to maintain it); Server imposters (the Texas Agriculture something-
> orother U, aka TAMU, had an incident where someone pirated a fast
> machine and used it to reply to NIS "ypmatch someuserid passwd"
> style requests *before* the actual NIS server, with a reply that
> made the clients think it's a valid UId-0 account; since the request
> type of a "ypcat passwd" is different, there was no trace of this to
> be seen unless you *knew* the bogus userid, or found bogus processes/
> logins red-handed; fighting this incident resulted, among other
> things, in the packetman software).
>
>
>
> ORIGINAL POSTING:
>
> Dear Managers,
>
> I have been looking in the archives and docs for NIS vs NIS+
> comparisons but didnt find one one addressing the follwoing specific
> questions.
>
> -When running NIS (not NIS+) password info is transfered between
> master-slave but the transfers move around scrambled passwords (shadow
> passwords) correct?
> - What vulnerabilities is exactly NIS open to? By reading the docs
> NIS+ is more secure, but to what type of attacks?
>
>
>
>
>
>
>
> --------------------------------------------------
> George Dimitoglou
> SM&A, Space Sciences Division
>
> SOHO ESA/NASA Project Scientist Team
> Laboratory of Astronomy & Solar Physics
> NASA Goddard Space Flight Center
> Bldg. 26, G-1, Code 682.3
> Greenbelt, MD 20771
>
> george@esa.nascom.nasa.gov
>



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT