HPE Community
Operating System - HP-UX
1825756 Members
2347 Online
109687 Solutions
New Discussion

NIS+, security

 
SOLVED
Go to solution
Tim D Fulford
Honored Contributor

‎06-15-2001 09:12 AM

‎06-15-2001 09:12 AM

NIS+, security

Some background:
I'm currently putting together a NIS+ domain, from this "test" we will reflect it on "live" boxes. However, as these boxes are live I want to do this in baby steps, never impacting performance/usability. For security I would like to shadow the /etc/passwd file (which will contain root, daemon, ..) and use NIS+ tables for the regular users (myself etc). I do know that I can convert my system to a trusted system (which is advised) and this will do the above, but there are access problems (hosts.equiv, .rhosts etc) in doing this.

What I have found:
1 - add in the NIS+ passwd.org_dir table
root:+:0:3:root:/root:/usr/sh
daemon:*:1... etc
:
joepub:?????:1076:20:Joe_Public:/home/joepub:/usr/bin/ksh

2 - Change the permissions of /etc/passwd to
-r--r----- 1 root sys ... /etc/passwd
Note: /etc/passwd has the encrypted root pwd, daemon, bin sys etc is * (no pwd)

3 Edit /etc/nsswitch.conf
passwd: files nisplus

This actually seems to work!!!! regular users cannot see root's encrypted password!!!

1 Can any one suggest a down side to this?
2 Is this really as secure as I think it is or am I just fooling myself?

Now shoot security gurus, I need some nasty, weasley hacks & craks on this architecture. ;-)

Tim F
-
0 Kudos
Reply
2 REPLIES 2
Shannon Petry
Honored Contributor

‎06-26-2001 02:29 PM

‎06-26-2001 02:29 PM

Solution

Re: NIS+, security

Well, your right about trusted mode and NIS/NIS+ not working together. This is because the passwords, and other info are not kept in a human readable format in trusted mode.

Next, because of HP-UX does not use a shadow file, there is no way of implementing it as far as I know unless you feel like writing your own login/pam code.

Next, since NIS+ does not use standard RPC calls, and forces client heiarchy and encrypts it's data, there is really not much use for you to take all of the extra steps.

While on one hand, you can nis_cat the file and see the string, the other hand is that the client has to be an approved member of the domain in order to see anything.

Lastly, following good UX procedures, changing your password every month at least, and using no words, chars+caps+numbers, you have little to fear from hackers.

From experience, I ran two boxes full bore for 45 days one with "crack" and the other with "john the ripper". I had given both apps the same 60 user password file. NO passwords were found.....

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Tim D Fulford
Honored Contributor

‎06-27-2001 03:29 AM

‎06-27-2001 03:29 AM

Re: NIS+, security

Thanks for the reply.

As it happens I cannot use this this method to protect the root passwd. We we use Informix & it hates NIS+. It will not authenticate itself with NIS+ unless it has an entry in the /etc/passwd file! which means it must be readable by informix!

Cheers

Tim
-
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.