HPE Community
Operating System - HP-UX
1847041 Members
4016 Online
110261 Solutions
New Discussion

What are the security implications of runnings NIS?

 
Sean OB_1
Honored Contributor

‎09-06-2002 07:36 AM

‎09-06-2002 07:36 AM

What are the security implications of runnings NIS?

Hello,

I have a client that has 15 servers, both HP and Solaris.

I'm interested in setting them up an NIS server to simply user administration.

What are the implications of doing this?

Thanks,

Sean
0 Kudos
Reply
9 REPLIES 9
Rodney Hills
Honored Contributor

‎09-06-2002 07:41 AM

‎09-06-2002 07:41 AM

Re: What are the security implications of runnings NIS?

For one, you can't use "trusted" systems on the HP.

-- Rod Hills
There be dragons...
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-06-2002 07:46 AM

‎09-06-2002 07:46 AM

Re: What are the security implications of runnings NIS?

Unless these machines are on the internet, or you have some mighty fine hackers inside your facility; then there is NO concern with NIS.

NIS is not designed with security in mind, and anyone can find your raw password file, thus gaining usernames, and salted passwords.

If you want security and NIS features then look to NIS+.

I'd recommend that you use the Sun server to set this up for several reasons. 1. NIS+ was developed by sun, and the tools are very stable in solaris. Im not saying that HP does not have good tools, just that I know little of them and they have only been out about a year now.

NIS+ takes a bit more thought to setup, but still has the same principles behind it.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎09-06-2002 08:05 AM

‎09-06-2002 08:05 AM

Re: What are the security implications of runnings NIS?

NIS is notoriously insecure because it does not do any authentication at RPC level. For example a hacker can write a "bogus" RPC program a mimic the NIS server in your environment. This is just one example.. but implementing NIS with good security practice in mind outweighs not wanting to implement NIS just because it's not 100% secure. There are ways to make it secure. For a basic NIS implementation (not NIS+), you can control the client/server binding by using /var/yp/securenets on the server side and /var/yp/secureservers on the client side. Personally I have not done any strict tightening before in my NIS environment. Another side to this is make sure your fundamental system security practice is solid, things like password strengthing, installing all security patches, blocking TCP attacks (from router side), etc, etc. That way you at least know you have a strong and security Unix infrastructure.
0 Kudos
Reply
Sean OB_1
Honored Contributor

‎09-06-2002 08:23 AM

‎09-06-2002 08:23 AM

Re: What are the security implications of runnings NIS?

Security is one of the things that brings this up. Right now the client gives anyone who wants/needs the root password. They also have a few accounts that are shared by many people.

So I want to force everyone to have their own account and log in with it. But they don't want the admin of having to put accounts on 15 servers.

So I'm looking to NIS to take care of the account management.

Then I'll implement sudo to take care of the rest.

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-06-2002 08:24 AM

‎09-06-2002 08:24 AM

Re: What are the security implications of runnings NIS?

Probably NIS's biggest hole is that a user can
do a ypcat passwd command and get the hashed passwds. This is the same problem that an untrusted system has because there is no shadow passwd file. After getting the passwd map a user can then run a program like 'Crack' against the map and search for weak, ill-constructed passwords. This problem can be largely dealt with by coding a replacement for yppasswd that enforces very tight passwd construction; this is not a difficult exercise.

Your other option is to choose NIS+.
If it ain't broke, I can fix that.
0 Kudos
Reply
Sean OB_1
Honored Contributor

‎09-06-2002 08:28 AM

‎09-06-2002 08:28 AM

Re: What are the security implications of runnings NIS?

What does NIS+ bring over NIS?
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎09-06-2002 08:39 AM

‎09-06-2002 08:39 AM

Re: What are the security implications of runnings NIS?

Firstly .. the most intended feature that you're looking for ..
Quote ..
NIS+ is secure. It uses a private key/public key authentication scheme with DES encryption. Every user and host in the namespace has its own unique credentials, and you can decide which users and hosts will be allowed to read or modify the information in each NIS+ domain.
Unquote ..
This is from ..
http://www.docs.hp.com/hpux/onlinedocs/B1031-90048/B1031-90048.html
"Configuring and Adminstering NIS+". Good read.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎09-06-2002 08:57 AM

‎09-06-2002 08:57 AM

Re: What are the security implications of runnings NIS?

In addition, you can also give different hosts different levels of access.

Another nice feature of NIS+ is that it supports a structure allowing for sub-domaining in the truest sense. This means that a top level can see levels below, which can be their own unique NIS+ domain, or group of domains for that matter.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎09-06-2002 11:41 AM

‎09-06-2002 11:41 AM

Re: What are the security implications of runnings NIS?


Look at this

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J4269AA

and make sure to check out

http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration

live free or die
harry
Live Free or Die
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.