Re: Hardening NIS+

From: Jed Dobson (jed@wgtech.com)
Date: 08/16/02


Date: Fri, 16 Aug 2002 16:13:47 -0400 (EDT)
From: Jed Dobson <jed@wgtech.com>
To: focus-sun@securityfocus.com, Andrew J Caines <Andrew.J.Caines@wcom.com>


Around Aug 15, 2002 Andrew J Caines (Andrew.J.Caines@wcom.com) said :

> Akop said...
> > By the way, are you aware that Sun has already announced EOL for NIS+
> > in Solaris 9 release notes?
> > ...you'll be better off going with LDAP rather NIS.
>
> Despite the likelihood that Sun will continue to "support" (as in not stop
> it working) NIS and NIS+ for years, it's worth remembering that Sun is now
> bundling Netscape^WiPlanet^WSunONE apps, including Directory server, with
> Solaris and supporting them as Sun products.
>
> I haven't seen a Solaris 9 install or if they've made using LDAP with PAM
> automagic, or at least easy.

This brings up some good questions. I have done a bit of work with Solaris
9 and SunONE DS 5.1 with Solaris 8 & 9 clients as native clients. The
security models are *not* at all straightforward. I have gotten simple
authentication to work, which is some situtations is o.k. Having an
encypted password go over the wire in crypt for is the same situation as
NIS.

For all the effort involved in setting up SASL/DIGEST-MD5 or SSL/TLS
(which I still cannot get work correctly work!) I think it is easier to
use Kerberos or AFS/Kerberos and just use LDAP as naming service for
passwd, group, etc.

The PAM_LDAP module is no better than using simple auth, as this sends the
crypt'd password in clear text (session). This doesn't support SSL or
SASL/Digest-MD5. While SASL/Digest-M5 protects the password but not the
whole session which would allow for much networking sniffing of usernames,
hosts, etc, etc. This also requires the password to be clear text on the
server which I don't feel comfortable with.

Now using TLS/SSL with Digest-MD5 seems like an o.k situation; I get an
entire encrypted session but the password remains in clear text on the
server.

What are other Sun users out there doing? If you are using AFS/Kerberos do
you just ignore passwords from LDAP and use the PAM modules? Are you
comfortable with crypt passwords going clear over the wire? Can you figure
out TLS?

-jed



Relevant Pages

  • Summary: NIS+ and LDAP - Single sign on
    ... The overwhelming response was that NIS+ is proprietary and that Sun will not ... The majority of the responses indicate that LDAP is the way to go. ... I mainly need this for authentication (login ... Everybody is going LDAP these days: Sun, ...
    (SunManagers)
  • Solaris 8 not giving password expire warning with ldap?
    ... I have Solaris 8 secured ldap clients using tls:simple auth method to ... Sun ONE DS 5.2. ... I converted from using NIS to LDAP - quite a chore. ... The issue is that I do not get a warning that the password will expire ...
    (comp.unix.solaris)
  • still need logdaemon?
    ... I've searched the Sun Mangers archives for this and spent considerable time ... I'm in the process of configuring a new Sun Fire v240 server running ... replacing an Ultra 5 running Solaris 2.6 serving the same purposes. ... NIS maps I want to restrict NIS logon on this server to myself and a couple ...
    (SunManagers)
  • Re: making the switch
    ... or three in order to do the client server type stuff, NIS, NFS, LDAP, ... If you are actually working as a Solaris Administrator, ... For NIS: ... Someone here or on comp.unix.solaris fought LDAP to a draw and documented how he did it. ...
    (comp.sys.sun.admin)
  • DISCUSSION: NIS vs NIS+ vs LDAP
    ... NIS, NIS+ and LDAP and their merits or lack there of. ... We've been running Solaris systems for a long time and obviously started out ...
    (SunManagers)