Re: Hardening NIS+

From: Akop Pogosian (akopps@CSUA.Berkeley.EDU)
Date: 08/14/02 

Date: Tue, 13 Aug 2002 15:33:19 -0700
From: Akop Pogosian <akopps@CSUA.Berkeley.EDU>
To: focus-sun@securityfocus.com

On Mon, Aug 12, 2002 at 04:14:04PM -0700, Muhammad Faisal Rauf Danka wrote:
> The default security level for NIS+ is level 2, which is quiet secure.
> If you have SunOS client machines on the network, which are going to get
> served by the NIS+ server, then you need to run NIS+ in
> YP compatibility mode.
>
> you should visit:
> http://www.eng.auburn.edu/users/rayh/solaris/NIS+_FAQ.html
>

One of our local crypto geeks while working on a different problem
(that had to do with user authentication on the web) noticed: "On the
easier side, you don't really even need to get the encrypted password
to check a password -- you can do the check with the encrypted secret
key, which is sitting in the world- and nobody-readable cred table.
You don't need to do an expensive multiple-precision modular
exponentiation to check if your decrypted secret key matches the
public key, since the secret key has a built-in checksum -- the last 8
bytes are always the same as the first 8." In other words, NIS+ is
crackable just like NIS.

Also, I have been told that 192-bit DH credentials are easily
crackable these days. Is that true? Are there any gotchas when
switching to stronger authentication mechanisms such as 1024-bit DH
keys? Will switching to 1024-bit DH keys improve security a lot? The
workstation credentials are usually encrypted using root's login
password. Therefore, in theory, not only user passwords but also root
passwords for all machines in the NIS+ domain are crackable. I have
been thinking of generating 1024-bit keys at least for workstation
principals but the procedure seems to be fairly complicated if you
change the DES credentials for the NIS+ master and replica servers
(there are several documents on sunsolve that can walk you through
this process)

-akop

Relevant Pages

  • Re: problem with allerts in NIS 2004
    ... Unfortunately it seems that I missed sth:/ I turned the security level to ... Those alerts are not Trojan alerts - in Trojan ... > Not sure exactly how it is phrased in NIS 2004. ...
    (comp.security.firewalls)
  • Re: Hardening NIS+
    ... The default security level for NIS+ is level 2, ... If you have SunOS client machines on the network, ...
    (Focus-SUN)
  • RE: PRE-SUMMARY: NIS+ server problems (WAS RE: NIS+ password changing )
    ... It seems that there is a credential issue and that one nis+ replica thinks ... I create credentials for a new user called bpeters@.cl.gemini.edu. ... credentials are created on the root master correctly. ... --> Checkpoints are taking place between both replicas and the root master. ...
    (SunManagers)
  • Re: Question re. NIS+ client setup
    ... I did nisaddcred on both the NIS+ server and client awhile ago, ... there any way to determine if the user has NIS+ credentials? ... > If you want the client to use the same home directory over NFS, ...
    (comp.unix.solaris)
  • Re: useradd: ERROR: xxx is already in use.
    ... userdel doesn't handle NIS+. ... You'll need to deal with the NIS+ credentials and password ... map for the user, probably. ...
    (comp.unix.solaris)