topic Re: NIS+ encrypted? in Operating System - HP-UX

NIS+ encrypted?

TwoProc — Tue, 09 Aug 2005 09:58:02 GMT

Question: One of our techs heard from a HP tech that NIS+ is "encrypted". I'm thinking that he(HP tech) means that the password string is encrypted, while I'm wanting to know if the transmission of NIS+ data itself (the whole communication stream) is encrypted or encryptable for supporting logins. And, will that work with a trusted host? shadow passwords? HP tech says it does, while I've read in places that it doesn't.

Re: NIS+ encrypted?

Pete Randall — Tue, 09 Aug 2005 10:05:32 GMT

John,

NFS Services Administrator's Guide
Chapter 5. Configuring and Administering NIS+
Overview of NIS+

"NIS+ is secure. It uses a private key/public key authentication scheme with DES encryption. Every user and host in the namespace has its own unique credentials, and you can decide which users and hosts will be allowed to read or modify the information in each NIS+ domain."

But nothing specific about encrypted transmission - yet - still reading. . . .

Pete

Re: NIS+ encrypted?

Florian Heigl (new acc) — Tue, 09 Aug 2005 10:27:30 GMT

the login/credential transmissions for NIS+ are, as far as I remember, kerberized, so both encrypted and non-replayable.
but I've never run NIS+, so I can't promise it :(

trusted: yes
shadow: i think yes (the shadowing would only apply to local-only passwords, hmm?)

Re: NIS+ encrypted?

A. Clay Stephenson — Tue, 09 Aug 2005 10:35:50 GMT

The answer is yes and yes. The biggest improvement from the standpoint of passwords (not actually encrypted but hashed) is that
under NIS the passwd hash is easily obtained by nothing more than ypcat passwd from any client. These password hashes are then subject to a dictionary-based attack (e.g. crack) under NIS+, niscat passwd returns a '*' in the hash field.

Re: NIS+ encrypted?

TwoProc — Tue, 09 Aug 2005 10:55:42 GMT

Pete, Florian, and A. Clay - thanks for your responses. So, this is, in your opinion - a good solid solution for today - or would you push a group towards ldap if re-reviewing (redundant to be rhetorical :-) ) options?

Re: NIS+ encrypted?

Patrick Wallek — Tue, 09 Aug 2005 10:59:37 GMT

I think LDAP is a better solution that NIS+. With LDAP you could, potentially, have a single solution for the entire enterprise (Unix, Windows, etc.).

NIS+ limits you to Unix only, and only those flavors that support NIS+.

Re: NIS+ encrypted?

Pete Randall — Tue, 09 Aug 2005 11:03:48 GMT

John,

I would avoid NIS+ like the plague. Here's another quote from the same manual:

"Disadvantages of NIS+

NIS+ has the following disadvantages:

*

NIS+ is difficult to administer. It requires dedicated system administrators trained in NIS+ administration. NIS+ administration is very different from NIS administration.
*

The NIS+ databases are not automatically backed up to flat files. The system administrator must create and maintain a backup strategy for NIS+ databases, which includes dumping them to flat files and backing up the files."

The key portion of that, for me at least, is the line "NIS+ is difficult to administer."

Pete

Re: NIS+ encrypted?

Steve Lewis — Tue, 09 Aug 2005 11:42:42 GMT

If NIS+ does use DES, then that isn't very secure encryption anyway. DES is an old algorithm and attacks against it are well known.

Re: NIS+ encrypted?

generic_1 — Tue, 09 Aug 2005 12:22:04 GMT

How many users and computers are you dealing with? What OS platforms.
Unless your answer is thousands of users and thousands of systems, its better to stay away from NIS, NIS+, and LDAP. You can make any of it work, but they are all very needy environments. Your company would be better off carefully evaluating a user creation/management tool that is flexible and easy to use.
On paper this central environment sounds cool, but in reality its a pain. Look for good account management tools, and look beyond the security. Also a good managment tool will have good security built in, and it wont be open source that some script kiddy has access too. IF NIS goes down all of your users suddenly have a problem. Not good.

Best of luck

Re: NIS+ encrypted?

A. Clay Stephenson — Tue, 09 Aug 2005 14:27:30 GMT

I have never found NIS+ all that difficult although very little of your NIS knowledge will prove useful in an NIS+ world. NIS+'s main drawback is that it is rapidly becoming extinct. If your application software will allow LDAP then that is really your best bet.

Re: NIS+ encrypted?

TwoProc — Tue, 09 Aug 2005 15:26:00 GMT

A. Clay - what are the "forces" making it extinct? Are *NIX variants dropping support for it ? Announcing it? Just curious as I've heard the same thing - I'm just wondering if it's a concrete thing, or folks at HP (and other) putting the word out to see if the user community starts screaming and crying about it or not.

Re: NIS+ encrypted?

A. Clay Stephenson — Tue, 09 Aug 2005 16:14:07 GMT

Do a man nis (which includes NIS+). Under the WARNINGS section you will see "HP-UX 11i Version 2 is the last HP-UX on which NIS+ is supported."

Essentially there is nothing that NIS+ can do that LDAP can't do at least as well and is more portable. Like NIS+, little of your NIS knowledge will apply to LDAP. Because I would never trust my passwords to a Windows anything, I always run a UNIX or Linux LDAP server.

Re: NIS+ encrypted?

TwoProc — Tue, 09 Aug 2005 16:36:54 GMT

Wow A. Clay - that REALLY tells the tale then doesn't it? Thanks for the critical info.