HPE Community
Operating System - HP-UX
1833625 Members
3528 Online
110062 Solutions
New Discussion

NIS+ encrypted?

 
SOLVED
Go to solution
TwoProc
Honored Contributor

‎08-09-2005 02:58 AM

‎08-09-2005 02:58 AM

NIS+ encrypted?

Question: One of our techs heard from a HP tech that NIS+ is "encrypted". I'm thinking that he(HP tech) means that the password string is encrypted, while I'm wanting to know if the transmission of NIS+ data itself (the whole communication stream) is encrypted or encryptable for supporting logins. And, will that work with a trusted host? shadow passwords? HP tech says it does, while I've read in places that it doesn't.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
12 REPLIES 12
Pete Randall
Outstanding Contributor

‎08-09-2005 03:05 AM

‎08-09-2005 03:05 AM

Re: NIS+ encrypted?

John,

NFS Services Administrator's Guide
Chapter 5. Configuring and Administering NIS+
Overview of NIS+

"NIS+ is secure. It uses a private key/public key authentication scheme with DES encryption. Every user and host in the namespace has its own unique credentials, and you can decide which users and hosts will be allowed to read or modify the information in each NIS+ domain."

But nothing specific about encrypted transmission - yet - still reading. . . .


Pete

Pete
Reply
Florian Heigl (new acc)
Honored Contributor

‎08-09-2005 03:27 AM

‎08-09-2005 03:27 AM

Re: NIS+ encrypted?

the login/credential transmissions for NIS+ are, as far as I remember, kerberized, so both encrypted and non-replayable.
but I've never run NIS+, so I can't promise it :(

trusted: yes
shadow: i think yes (the shadowing would only apply to local-only passwords, hmm?)
yesterday I stood at the edge. Today I'm one step ahead.
Reply
A. Clay Stephenson
Acclaimed Contributor

‎08-09-2005 03:35 AM

‎08-09-2005 03:35 AM

Solution

Re: NIS+ encrypted?

The answer is yes and yes. The biggest improvement from the standpoint of passwords (not actually encrypted but hashed) is that
under NIS the passwd hash is easily obtained by nothing more than ypcat passwd from any client. These password hashes are then subject to a dictionary-based attack (e.g. crack) under NIS+, niscat passwd returns a '*' in the hash field.
If it ain't broke, I can fix that.
Reply
TwoProc
Honored Contributor

‎08-09-2005 03:55 AM

‎08-09-2005 03:55 AM

Re: NIS+ encrypted?

Pete, Florian, and A. Clay - thanks for your responses. So, this is, in your opinion - a good solid solution for today - or would you push a group towards ldap if re-reviewing (redundant to be rhetorical :-) ) options?
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎08-09-2005 03:59 AM

‎08-09-2005 03:59 AM

Re: NIS+ encrypted?

I think LDAP is a better solution that NIS+. With LDAP you could, potentially, have a single solution for the entire enterprise (Unix, Windows, etc.).

NIS+ limits you to Unix only, and only those flavors that support NIS+.
Reply
Pete Randall
Outstanding Contributor

‎08-09-2005 04:03 AM

‎08-09-2005 04:03 AM

Re: NIS+ encrypted?

John,

I would avoid NIS+ like the plague. Here's another quote from the same manual:

"Disadvantages of NIS+

NIS+ has the following disadvantages:

*

NIS+ is difficult to administer. It requires dedicated system administrators trained in NIS+ administration. NIS+ administration is very different from NIS administration.
*

The NIS+ databases are not automatically backed up to flat files. The system administrator must create and maintain a backup strategy for NIS+ databases, which includes dumping them to flat files and backing up the files."

The key portion of that, for me at least, is the line "NIS+ is difficult to administer."


Pete

Pete
Reply
Steve Lewis
Honored Contributor

‎08-09-2005 04:42 AM

‎08-09-2005 04:42 AM

Re: NIS+ encrypted?

If NIS+ does use DES, then that isn't very secure encryption anyway. DES is an old algorithm and attacks against it are well known.

0 Kudos
Reply
generic_1
Respected Contributor

‎08-09-2005 05:22 AM

‎08-09-2005 05:22 AM

Re: NIS+ encrypted?

How many users and computers are you dealing with? What OS platforms.
Unless your answer is thousands of users and thousands of systems, its better to stay away from NIS, NIS+, and LDAP. You can make any of it work, but they are all very needy environments. Your company would be better off carefully evaluating a user creation/management tool that is flexible and easy to use.
On paper this central environment sounds cool, but in reality its a pain. Look for good account management tools, and look beyond the security. Also a good managment tool will have good security built in, and it wont be open source that some script kiddy has access too. IF NIS goes down all of your users suddenly have a problem. Not good.

Best of luck
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎08-09-2005 07:27 AM

‎08-09-2005 07:27 AM

Re: NIS+ encrypted?

I have never found NIS+ all that difficult although very little of your NIS knowledge will prove useful in an NIS+ world. NIS+'s main drawback is that it is rapidly becoming extinct. If your application software will allow LDAP then that is really your best bet.
If it ain't broke, I can fix that.
0 Kudos
Reply
TwoProc
Honored Contributor

‎08-09-2005 08:26 AM

‎08-09-2005 08:26 AM

Re: NIS+ encrypted?

A. Clay - what are the "forces" making it extinct? Are *NIX variants dropping support for it ? Announcing it? Just curious as I've heard the same thing - I'm just wondering if it's a concrete thing, or folks at HP (and other) putting the word out to see if the user community starts screaming and crying about it or not.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎08-09-2005 09:14 AM

‎08-09-2005 09:14 AM

Re: NIS+ encrypted?

Do a man nis (which includes NIS+). Under the WARNINGS section you will see "HP-UX 11i Version 2 is the last HP-UX on which NIS+ is supported."

Essentially there is nothing that NIS+ can do that LDAP can't do at least as well and is more portable. Like NIS+, little of your NIS knowledge will apply to LDAP. Because I would never trust my passwords to a Windows anything, I always run a UNIX or Linux LDAP server.
If it ain't broke, I can fix that.
Reply
TwoProc
Honored Contributor

‎08-09-2005 09:36 AM

‎08-09-2005 09:36 AM

Re: NIS+ encrypted?

Wow A. Clay - that REALLY tells the tale then doesn't it? Thanks for the critical info.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.