[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nis & shadow



Oh, pardon me. That really is safe then. NOT! If I can plug into your ethernet, I can
have your NIS maps. If you "don't allow access" you must be doing it by hostname/IP.
Easy, I can just steal the IP I want, unplugging the real machine if necessary. This is
silly anyway because I can easily sniff the traffic, which goes around unencrypted, with
my laptop anyway. I'm sorry but I'm right and you're wrong: NIS is not secure. If you
believe it's secure and feel good using it in your environment you may be right and I
might completely agree with you, **in that specific case**. The real danger here is that
someone decides that they don't need to worry so much because they're using shadow
passwords, not realizing that anyone who can hook a machine into the local net can have
access. Don't go telling people something's secure when its not.

Now listen, I do exactly what you describe. I use (on an internal network) plain old NIS
maps to distribute passwd/shadow info to a Linux box which uses shadow passwords. I'm not
saying it can't be done. I'm not say it shouldn't be done. I'm saying that when you
advise someone about a practice which involves system security you have a duty to make
full disclosure about the inherent risks (which exist in *any* system). It pisses me off
when people think they know it all and take a cavalier attitude going around telling
people "what's what" in a tone and manner which suggest they are authoritative on the
matter. You obviously are very confident with your expertise and technical knowledge.
Just remember it's when you think you've got every angle that your going to make the
mistake.

Gergely Madarasz wrote:

> On Thu, 19 Feb 1998, Jens B. Jorgensen wrote:
>
> > This is true. However note how you said "if the request for the map comes from a
> > non-root user". How do you supposed the NIS server determines that you're "not a
> > root user"? I'll tell you: ident. I can whip up an ident server on my NT box in two
> > minutes that'll tell you I'm any user I want. This is not security.
>
> Wrong. It determines that you're no root user by port. If the request
> comes from a port lower than 1024 then it is root. And don't give nis
> access to hosts which can be booted into an unsafe OS like NT.

--
Jens B. Jorgensen
jjorgens@bdsinc.com



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: