Re: RFC: pam: dropping support for NIS/NIS+?

To: debian-devel@lists.debian.org
Cc:
Subject: Re: RFC: pam: dropping support for NIS/NIS+?
From: lange@debian.org
Date: Fri, 22 Apr 2022 23:06:14 +0200
Message-id: <[🔎] 25187.6342.550710.634258@cs.uni-koeln.de>
In-reply-to: <[🔎] YmMTDjw0XY44ovTT@homer.dodds.net>
References: <[🔎] 25187.2840.767052.517544@cs.uni-koeln.de> <[🔎] YmMTDjw0XY44ovTT@homer.dodds.net>

>>>>> On Fri, 22 Apr 2022 13:41:50 -0700, Steve Langasek <vorlon@debian.org> said:

> NIS also dates from a period when rsh was considered acceptable, and unless
> I'm mistaken, has a comparable level of security.  Allowing access to
> password hashes for users based on the IP of the machine you are querying
> from is not a sane security policy, and I don't think we should indefinitely
> make Debian worse for all other users (bigger minimal system == worse) to
> cater to users of these obsolete, insecure systems.

A normal user does not see the password hashes, only processes which
can use a port < 1024 see the password hash in the NIS map.

So I do not see a problem giving machines of a subnet (based on their
IP) access to the NIS data, when I can make sure only permitted
computers can access the network. This does not give all users of this
machine access to the password hashes.

-- 
regards Thomas

Reply to:

References:
- Re: RFC: pam: dropping support for NIS/NIS+?
  - From: lange@debian.org
- Re: RFC: pam: dropping support for NIS/NIS+?
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: RFC: pam: dropping support for NIS/NIS+?
Next by Date: Re: RFC: pam: dropping support for NIS/NIS+?
Previous by thread: Re: RFC: pam: dropping support for NIS/NIS+?
Next by thread: Re: RFC: pam: dropping support for NIS/NIS+?
Index(es):
- Date
- Thread