RE: Hardening NIS+

From: Small, Jim (jim.small@eds.com)
Date: 08/14/02


From: "Small, Jim" <jim.small@eds.com>
To: focus-sun@securityfocus.com
Date: Wed, 14 Aug 2002 13:12:21 -0400

Thank you for all the replies for information regarding hardening NIS+.

Here is some background info:
Platforms being used:
Solaris 7 Sparc, Solaris 8 Sparc
Possibly Solaris 9 Sparc in the future
Probably not but possibly Solaris 2.6 Sparc

Goals:
O Strongest most secure encrypted authentication
O Strongest most secure authorization
O For all NIS+ file system data (/var/nis) and executables/libraries/etc...
- setting the most restrictive permissions possible. The ideal scenario
would be only the owner has any access, although I have discovered for many
files/directories this is not possible.
O For all NIS+ internal data (directories, tables, groups, links, objects,
...) - setting the most restrictive permissions possible, especially
eliminating world and nobody access where possilbe/feasible.
O No form of anonymous access. (Unfortunately, this does not seem to be
possible)

What I've done so far:
As far as general O/S hardening, there are many great sources of information
including the Sun Blueprints, so I'm fairly well set here.

I have read through most of Rick Ramsey's All About Administering NIS+. I
have taken Sun's SA-385 - NIS+ Administration. I have also scanned through
several NIS+ FAQ's and all the SunSolve documentation I could find. I have
also read through the NIS+ Transition Guide, and scanned through the Solaris
Naming Configuration and Setup Guide and the Solaris Naming Administration
Guide for both Solaris 7 and 8 (docs.sun.com).

I believe the bulk of the work is when setting up the Root Master Server.
Here is what I have so far for hardening NIS+ on it:
nisauthconf dh1024-0
(Incidentally, my SA-385 book says there is a way to use Kerberos for
encryption, but the details are not in the book. My instructor also did not
know. Does anyone know if this is possible?)
NIS_GROUP=admin; export NIS_GROUP
(Necessary or some things get put in NIS+ without a group. Not sure about
nisserver, but definitely true for nispopulate)
nisserver -r -d <domain>
Use nisopaccess to lock down commands that don't normally check for
authorization
Note that I am also planning on using ntp with encrypted keys. The Sun
Blueprints do a great job of explaining how to do this.
Use nistbladm and nischmod to remove all world access from the passwd and
group tables and the password column in the passwd and group tables

I also started playing around with file permissions and noticed thet
/var/nis must be 755 and /var/nis/NIS_COLD_START must be 644 for NIS+ to
work. Any form of world/other access makes me queasy...

Questions:
I find it troubling that anyone can use nisinit to get a coldstart file,
either by directly talking to a server or even worse, through a broadcast.
Is there a way to disable a response to nisinit from NIS+ servers or better
yet, only allow a response to clients with existing, valid credentials?

Has anyone played around with locking down file/directory permissions,
especially under /var/nis?

I would like to eliminate all anonymous (nobody) access from NIS+.
Unfortunately this does not seem possible. According to the man page
[nis+(1)], for bootstrapping reasons the following must grant read access to
nobody:
directory objects that are NIS+ domains, the org_dir subdirectory, and the
cred table

The ideal situation would be that a machine not in the NIS+ domain would not
be able to obtain any NIS+ information whatsoever.

As Akop stated, since the encrypted secret key is world readable, passwords
can be cracked:
"On the easier side, you don't really even need to get the encrypted
password to check a password -- you can do the check with the encrypted
secret key, which is sitting in the world- and nobody-readable cred table.
You don't need to do an expensive multiple-precision modular exponentiation
to check if your decrypted secret key matches the public key, since the
secret key has a built-in checksum -- the last 8 bytes are always the same
as the first 8."

Besides the objects mentioned above, is there any reason other objects need
to grant any form or nobody access? What about world access? Can this be
restricted for some objects?

It would be nice if you could only grant NIS+ access by owner and group
access, but I believe each NIS+ object can only have 1 group. Please
correct me if I'm wrong.

I am transitioning a domain from NIS to NIS+. I realize that if I run NIS+
in compatibility mode that all bets with security are off. However, as soon
as the transition is complete, this hole will be closed. Is there anything
special that I should be aware of here?

Darren, you also mentioned better trust between NIS+ principles, but I'm not
sure what you mean by this. Could you elaborate?

Any information or ideas would be greatly appreciated!

Thanks,
   <> Jim

Jim Small
EDS - Infrastructure Integrity
MS 5D
750 Tower Dr.
Troy, MI 48098-2868
* phone: +01-248-265-4863 [8-365]
* mailto:jim.small@eds.com

-----Original Message-----
From: Darren Moffat [mailto:Darren.Moffat@Sun.COM]
Sent: Friday, August 09, 2002 4:54 PM
To: jim.small@eds.com
Cc: focus-sun@securityfocus.com
Subject: Re: Hardening NIS+

>Has anyone seen any articles/papers on hardening/locking down NIS+?

You need to be a bit more specific in what your end goal is and why
the default configuration of NIS+ is not sufficient.

Do you want to:

1. Harden the NIS+ servers ?
2. Get better trust between NIS+ principles ?
3. Restrict access to parts of the NIS+ tree to cetain user groups ?
4. Restrict access to fields within a record.
5. Other

All of these are possible but the answer depends on what you want to do.

I would recommend that you read the Ramsey NIS+ book (a bit old but still
relevant):

        All About Administering NIS+ (2nd Edition)
        by Rick Ramsey (Paperback)
        Prentice Hall PTR; ISBN: 0133095762

there is also a wealth of information on docs.sun.com.
        
--
Darren J Moffat



Relevant Pages

  • Re: Password aging on Suns with NIS?
    ... >> wouldn't benefit from NIS+ even if we liked banging our heads against the wall). ... PAM, it looks like I could drop in a replacement for pam_unix_acct, but I suspect ... > An easy way to get password aging on the Solaris ... >> workstations and servers. ...
    (comp.security.unix)
  • Re: Password aging on Suns with NIS?
    ... > Solaris 5.5, and Solaris 5.5.1 due to old apps that won't run on newer ... > wouldn't benefit from NIS+ even if we liked banging our heads against the wall). ... An easy way to get password aging on the Solaris ... > workstations and servers. ...
    (comp.security.unix)
  • Re: need help with understanding NIS and Installation of Solaris 10
    ... How do we mount a CDROM and LUN on Solaris 10? ... Slice 4 was intended to hold state databases if I ever get around to mirroring the disk. ... for NIS. ... # Set up a YP master server ...
    (comp.unix.solaris)
  • Best Approach for migrating NIS from HPUX to Solaris
    ... We are planing to migrate the NIS environment running at our site from HPUX ... to Solaris 8, presently we are having a master server and three slave ...
    (SunManagers)
  • Re: Hardening NIS+
    ... > Solaris 7 Sparc, Solaris 8 Sparc ... are you aware that Sun has already announced EOL for NIS+ ... scratch right now I wouldn't use it because of this. ...
    (Focus-SUN)