Re: NIS(Client && Server) + Security

To: g.galad@portugalmail.pt
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: NIS(Client && Server) + Security
From: Jamie Heilman <jamie@transient.net>
Date: Fri, 3 Jan 2003 15:23:56 -0800
Message-id: <[🔎] 20030103232356.GB21852@audible.transient.net>
In-reply-to: <[🔎] 1041632978.3e160ed27b620@webmail.portugalmail.pt>
References: <[🔎] 1041548228.3e14c3c48e13f@webmail.portugalmail.pt> <[🔎] 20030103040351.GA14074@audible.transient.net> <[🔎] 1041632978.3e160ed27b620@webmail.portugalmail.pt>

> One last thing: What links do you sugest to read about this matter (NIS) and
> what better tools exist for this kind of job?

I don't really have any links, I'm just going by what my experience
has been.  The NIS security issues are well known, I'm sure a google
search will turn up scads of information.  NIS is almost the only
option though if you require on-the-fly user replication between
multiple different kinds of unix hosts.  None of the BSDs that I know
of have implemented a flexible SYSV-like name service switch yet,
(there was a FreeBSD guy who was promising to do it but last I heard
there was no public code, I haven't looked at 5.0 yet though) which is
pretty much required to start stitching things like LDAP directly to
your libc routines.  Glibc supports this so its a given for
environments that use it.  Solaris >= 2.7 supports it *I think* ...
its been a while since I dealt with that.  Padl software makes both
NSS and PAM hooks for LDAP, freely available to the linux community.
(Not the best security record sadly, but I'm unaware of any
competition.)  OS X supports pluggable name services via netinfo
(yuck) which work OK in my experience, though NFS was fugly at the
time.  Generally if you've got an environment that supports it, and
you really need unified management[1] of your name services[2] I'd
suggest using LDAP, openldap w/TLS provides significantly more
security than NIS.

[1] unified environments come at a high reliability cost, you've got
to provide redundancy fallover services or your network can become
unusable in the blink of an eye if something fails.  I'd never
consider using something like LDAP on a network with less than 5
machines, not for name services anyway.  Small tasks can be handled
well enough with rsync and ssh and some routine scripts.

[2] note when I say name services, I'm not talking about DNS, though
the facilities exist to incorporate that into a unified configuration.
Personally I'd never use a unified environment for DNS management
because doing so tends to create some annoying chicken-or-egg
scenarios that newbie admins can easily trip over and cause a mess.
I'm not fond of fragile services, which incidently is why I don't run
BIND and why I think anyone who does is a fool.  There are plenty of
good replacements, djbdns, maradns (for those of you who tend and
nurture your myopic little hatred of djb like its some kind of 100
year old bonsai), etc.  And they don't crash every few days for no
reason.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid."	-Buddy

Reply to:

References:
- NIS(Client && Server) + Security
  - From: g.galad@portugalmail.pt
- Re: NIS(Client && Server) + Security
  - From: Jamie Heilman <jamie@transient.net>
- Re: NIS(Client && Server) + Security
  - From: g.galad@portugalmail.pt

Prev by Date: Re: NIS(Client && Server) + Security
Next by Date: Unidentified subject!
Previous by thread: Re: NIS(Client && Server) + Security
Next by thread: Re: Bind9 stopped after 34 days of uptime
Index(es):
- Date
- Thread