nis security
Tillman Hodgson
tillman at seekingfire.com
Mon Sep 8 15:10:50 PDT 2003
On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote:
> I'm building a new network for my company.
Right on!
> I need centralized authentication and looked after LDAP to achieve this.
It's a good thing you're designing this /now/ rather than trying to
graft it on later. It's not as simple as it seems.
> Unfortunately, there are 2 points that make me wonder the good use of it:
> 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use
> 2. I really don't feel confident with LDAP
For many networks LDAP can be overkill.
> So, I was thinking about using NIS instead, with which I feel much more
> confident. I understand it is really not secure, so I was looking about more
> information on this: why is is unsecure, does it send password in clear text?
No, but it sends them in an easily broken format. It's exactly the same
situation as a DES /etc/passwd file in the days before
master.passwd/shadow passwd files. This can be fixed by combining NIS
with Kerberos.
Another large problem is that clients used to "broadcast" for NIS
servers and trust the first server to answer. this can be fixed by
telling the clients to contact only specific servers for NIS
information.
> ?
> Does anyone know a solution for securing NIS, using ssh or encrypted tunnels
> or anything... I am open to any new idea :)
IPsec can fix the network sniffing problem, though Kerberos can do that
as well and comes with many other advantages.
I'm a bit biased, however: I use NIS with Kerberos and think it's the
cats pajamas :-)
-T
--
To give your sheep or cow a large spacious meadow is the way to control him.
Shunryu Suzuki
More information about the freebsd-questions
mailing list