Re: Hardening NIS+

From: Jed Dobson (jed@wgtech.com)
Date: 08/16/02


Date: Fri, 16 Aug 2002 16:13:47 -0400 (EDT)
From: Jed Dobson <jed@wgtech.com>
To: focus-sun@securityfocus.com, Andrew J Caines <Andrew.J.Caines@wcom.com>


Around Aug 15, 2002 Andrew J Caines (Andrew.J.Caines@wcom.com) said :

> Akop said...
> > By the way, are you aware that Sun has already announced EOL for NIS+
> > in Solaris 9 release notes?
> > ...you'll be better off going with LDAP rather NIS.
>
> Despite the likelihood that Sun will continue to "support" (as in not stop
> it working) NIS and NIS+ for years, it's worth remembering that Sun is now
> bundling Netscape^WiPlanet^WSunONE apps, including Directory server, with
> Solaris and supporting them as Sun products.
>
> I haven't seen a Solaris 9 install or if they've made using LDAP with PAM
> automagic, or at least easy.

This brings up some good questions. I have done a bit of work with Solaris
9 and SunONE DS 5.1 with Solaris 8 & 9 clients as native clients. The
security models are *not* at all straightforward. I have gotten simple
authentication to work, which is some situtations is o.k. Having an
encypted password go over the wire in crypt for is the same situation as
NIS.

For all the effort involved in setting up SASL/DIGEST-MD5 or SSL/TLS
(which I still cannot get work correctly work!) I think it is easier to
use Kerberos or AFS/Kerberos and just use LDAP as naming service for
passwd, group, etc.

The PAM_LDAP module is no better than using simple auth, as this sends the
crypt'd password in clear text (session). This doesn't support SSL or
SASL/Digest-MD5. While SASL/Digest-M5 protects the password but not the
whole session which would allow for much networking sniffing of usernames,
hosts, etc, etc. This also requires the password to be clear text on the
server which I don't feel comfortable with.

Now using TLS/SSL with Digest-MD5 seems like an o.k situation; I get an
entire encrypted session but the password remains in clear text on the
server.

What are other Sun users out there doing? If you are using AFS/Kerberos do
you just ignore passwords from LDAP and use the PAM modules? Are you
comfortable with crypt passwords going clear over the wire? Can you figure
out TLS?

-jed