Re: PAM and LinuxRouter questions

From: Charles Clancy (security@xauth.net)
Date: 01/18/02


Date: Fri, 18 Jan 2002 12:22:10 -0600 (CST)
From: Charles Clancy <security@xauth.net>
To: Paul Lussier <pll@mclinux.com>


> >I also suggest you use ANYTHING but NIS. NIS+ and LDAP are infinitely
> >better when it comes to the security aspects of name service.
>
> From a security perspective, I'll grant you that NIS is horrible, but
> from a management perspective, NIS+ and LDAP appear to a lot worse.
> That, and AFAIK, there is no NIS+ implementation for Linux.
> Besides, why would you *want* to use something which the developers
> themselves (Sun) have all but abandoned and don't use?

For Linux NIS+, see:
http://www.ibiblio.org/mdw/HOWTO/NIS-HOWTO/x332.html#AEN334

For NIS fans, NIS+ is an easy next step, from which you gain a great deal
of security. Since host authenticity is based on knowledge of a DES (or
3DES) key, and not an IP address, spoofing is much more difficult (if not
impossible).

I'd only feel comfortable using NIS if it were used in conjunction with
Kerberos. Keep the passwords in Kerberos, and the rest in NIS.

True, Sun (and Microsoft, it seems, with ADS) is moving to LDAP. It
provides ultimate flexibility, and provide name service for many different
types of applications. For example, I've used the same LDAP database for
distributing /etc/passwd (posixAccount schema) information, mail
forwarding (aliases with Sendmail-LDAP), and general directory information
(such as office, phone number, etc).

> As far as LDAP? I keep hearing that it's the next best thing, but
> there don't seem to many tools for using it in a large scale
> enterprise environment. There are some out there, but it seems that
> they're slow in coming. And man is that record format overly verbose
> and tedious to deal with!

Well, the concepts a bit harder to understand than that of NIS/NIS+. As
for the record format, just include the relavent schemas. I admit, it's
overkill for a small organization, but can provide the needed structure
for larger organizations.

> Nah, even for all it's insecurities, I like NIS. It easy to deal
> with and simple to manage. And if you really need the security, then
> just use something like rdist or rsync to push around the
> passwd/shadow maps. If you're in an all Linux/Unix environment, it's
> trivial to create a sysVinit script that pulls down the most recent
> files at boot time.

Hmm... /etc/passwd and /etc/shadow floating around the network. That
makes me a little nervious.

In my opinion, for the most flexibility and compatability, a combination
of Kerberos 5 and LDAP works best. In fact, Microsoft's ADS provides both
those interfaces, one could have a single account for all users, that
supports both Windows and UNIX environments.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
coordinated science laboratory <> university of illinois
cryptography and information protection



Relevant Pages

  • Re: Sparc Solaris NIS client Linux NIS server
    ... >>>fairly trivial to auto create NIS users based on Windows ... >> LDAP works much, much better for providing single-source authentication. ... Security is a problem, ...
    (comp.os.linux.setup)
  • Re: Trying to replace NIS+
    ... yet are concerned with security issues?! ... > then an LDAP to LDAP/AD syncronization conversion. ... > looking like a NIS server, ...
    (comp.unix.solaris)
  • Re: Has NIS+ been officially EOLed?
    ... Logan Shaw wrote: ... > that the users would be transfered to LDAP before it was 100% ready ... > to duplicate the experience they had with NIS+. ... > a time period before the users get back their full environment. ...
    (comp.unix.solaris)
  • Re: Trying to replace NIS+
    ... >> looking like a NIS server, complete with NIS security issues. ... but I know the LDAP server with Solaris supports ...
    (comp.unix.solaris)
  • Re: Directory Server LDAP/LDIF import - working yet not working???
    ... I then generated LDIF files from the /etc files on our NIS ... > 10,000-foot understanding of LDAP. ... > I already downloaded the various LDAP BluePrints and Directory Server ...
    (comp.unix.solaris)