Re: RFC: pam: dropping support for NIS/NIS+?
Hi,
On Wed, Apr 20, 2022 at 10:57:58AM -0700, Steve Langasek wrote:
> So I'd like to take a step back and challenge an underlying assumption by
> asking: do any of our users actually *need* this functionality? The RPC
> functionality is only used for NIS and NIS+. NIS is historically quite
> insecure, and I'm not aware of any efforts to improve its security (AFAIK
> the linkage of the crypto libraries doesn't fix the fundamentally insecure
> interfaces of NIS). NIS+ is intended to be a more secure version of NIS,
> but to my knowledge there has never been a free implementation in the
> archive; this was a Sun-specific technology, which Sun deprecated two
> decades ago[1].
>
> If we dropped support for NIS and NIS+ in the next Debian release, would
> anybody miss it? Or has everyone moved on to LDAP / AD by now?
NIS still has uses in small, closed environments where setting up LDAP
would be overkill, or if you have to interface with some ancient
systems. NIS+ was a nice idea in its own time, and it allowed making NFS
more secure before RPCSEC_GSS took over. However, the strength of the
crypto used by NIS+ probably does not worth much today anymore, so I'd
be surprised if anyone still used it on Linux.
Doing a quick check, PAM only seems to rely on the RPC libraries for
changing NIS passwords. Personally, I think losing that would not be a
big deal. While I can still see NIS being useful in some corners of the
world, I cannot imagine such an environment wanting to enforce password
expiration. And if you don't expire passwords, then you don't need PAM
to be able to change passwords - running yppasswd should be fine for
voluntary password changes.
Regards,
Gabor
Reply to: