nis security

Bruce Pea pea at andrewpea.com
Mon Sep 8 17:02:16 PDT 2003


--On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson 
<tillman at seekingfire.com> wrote:

> On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote:
>> I'm building a new network for my company.
>
> Right on!
>
>> I need centralized authentication and looked after LDAP to achieve
>> this.
>
> It's a good thing you're designing this /now/ rather than trying to
> graft it on later. It's not as simple as it seems.
>
>> Unfortunately, there are 2 points that make me wonder the good use of
>> it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for
>> production use 2. I really don't feel confident with LDAP
>
> For many networks LDAP can be overkill.
>
>> So, I was thinking about using NIS instead, with which I feel much
>> more  confident. I understand it is really not secure, so I was
>> looking about more  information on this: why is is unsecure, does it
>> send password in clear text?
>
> No, but it sends them in an easily broken format. It's exactly the same
> situation as a DES /etc/passwd file in the days before
> master.passwd/shadow passwd files. This can be fixed by combining NIS
> with Kerberos.
>
> Another large problem is that clients used to "broadcast" for NIS
> servers and trust the first server to answer. this can be fixed by
> telling the clients to contact only specific servers for NIS
> information.
>
>> ?
>> Does anyone know a solution for securing NIS, using ssh or encrypted
>> tunnels  or anything... I am open to any new idea :)
>
> IPsec can fix the network sniffing problem, though Kerberos can do that
> as well and comes with many other advantages.
>
> I'm a bit biased, however: I use NIS with Kerberos and think it's the
> cats pajamas :-)


Hey Tilman,

This sounds exactly like what we are looking for. Can you point us to any 
docs explaining how you do this??

Thanks -
Bruce



More information about the freebsd-questions mailing list