-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21 Apr 2007, at 7:22 pm, Derek Martin wrote: > Your specific case looks OK to me (though I'd definitely want to think > carefully about it before I set something like that up myself), but in > the general case, NIS is *not* OK... it's completely insecure and > unsecurable. In general, it should no longer ever be used. > > - passwords are transmitted in clear text on the wire ... which is exactly why this is a one-machine NIS setup which never sends anything NIS-related onto the wire at all. > - It uses (possibly broadcast) UDP, so it's easy to spoof > - Any machine on the same network as the NIS master or slaves can > spoof them, allowing local users to gain complete control of the > NIS domain... Ouch, I wasn't aware of that one. Still not a problem in this case, since the CVS server is in its own little DMZ world and can't see anything else. But for the general case of NIS, yes, that's nasty. Another reason to switch to LDAP/TLS authentication as soon as I can at work... once all the Tru64 legacy machines are gone. > Other than that, yeah... totally secure. ;-) I need to make this > clear for people who are reading this and thinking, "oh, cool, I'll > just get Tim's patches and set up NIS then..." Indeed. People should always be aware of all the arguments. > >> the case of the server I'm talking about, the users work in the rssh >> jail, and the NIS password that yppasswd changes is only for this one >> machine; the NIS server listens only to localhost, and the passwords >> are not used by any other system. > > This sounds reasonably safe, as I said; but you can't add a feature > like this to the software based on such a special-case usage scenario. That's a fair comment. Tim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFGKx7QPN0/VuMTQjMRAtq+AJsHj5XpAlNmioERA8SOAUGr+XTZ+gCdGcYe OLOMGS7GXzlgjdjbAmqJXh4= =gE1h -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
