Re: Hardening NIS+

From: Charles Clancy (security@xauth.net)
Date: 08/19/02

• Previous message: Kapetanakis Giannis: "Re: There's something about hardening NFS?"
• In reply to: Jed Dobson: "Re: Hardening NIS+"
• Next in thread: Reg Quinton: "Re: Hardening NIS+"
• Next in thread: Roy S. Rapoport: "Re: Hardening NIS+"
• Reply: Reg Quinton: "Re: Hardening NIS+"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 18 Aug 2002 22:49:56 -0500 (CDT)
From: Charles Clancy <security@xauth.net>
To: Jed Dobson <jed@wgtech.com>

> What are other Sun users out there doing? If you are using AFS/Kerberos do
> you just ignore passwords from LDAP and use the PAM modules?

I've done both LDAP and NIS+ with AFS and Kerberos. Just use LDAP or
NIS+ for name service, and then use pam_afs.so or pam_krb5.so (depending
on your environment) for authentication.

NIS+ example setup:

$ grep ^passwd /etc/nsswitch.conf
passwd: files nisplus
$ nisaddent -d passwd | grep ^clancytc
clancytc:x:8291:1000:T Charles Clancy:/Users/alumni/clancytc:/bin/tcsh
$ nisaddent -d shadow | grep ^clancytc
clancytc:*NP*::::::
$ grep ^login /etc/pam.conf
login auth sufficient /usr/lib/security/pam_afs.so.1 ignore_root
login auth required /usr/lib/security/pam_unix.so.1 use_first_pass

NIS+ is simply used for passwd info. The password in the shadow table is
just '*NP*'. Therefore even with nisplus specified in nsswitch.conf,
pam_unix could never possibly authenticate the user, and the only possible
authentication is through AFS.

IMHO, the best combination for ease of administration and security is to
use Kerberos with NIS+. Then, if you want to replace NFS as your shared
filesystem for something significantly more secure and robust, plug in
AFS.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
[ crypto ]---[ coordinated science lab ]---[ university of illinois ]

---

• Previous message: Kapetanakis Giannis: "Re: There's something about hardening NFS?"
• In reply to: Jed Dobson: "Re: Hardening NIS+"
• Next in thread: Reg Quinton: "Re: Hardening NIS+"
• Next in thread: Roy S. Rapoport: "Re: Hardening NIS+"
• Reply: Reg Quinton: "Re: Hardening NIS+"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Migrating user accounts ... The systems in question are an old Cobalt (running Red ... > copy user accounts and passwords from the Cobalt to the SLES 9 machine. ... > Installing NIS and/or LDAP are simply not options because the Cobalt will ... (alt.os.linux.suse) Re: Kerberos+LDAP+NIS? ... > I have setup NIS which authenticate via the Kerberos server. ... first you need to make the LDAP information available to the Name ... sure there aren't any passwords getting tossed around in plain text?). ... (Debian-User) Re: root password in a .py script ... that makes the increasingly incorrect assumption that the passwords ... Many systems use NIS or LDAP ... (comp.lang.python) Re: How to remove users "only" on NIS database? ... In the beginning hashed passwords were in the /etc/passwd file. ... that information over the network. ... Therefore with NIS the shadow file is made available. ... won't have local root. ... (Debian-User) Re: Directory Server LDAP/LDIF import - working yet not working??? ... I then generated LDIF files from the /etc files on our NIS ... > 10,000-foot understanding of LDAP. ... > I already downloaded the various LDAP BluePrints and Directory Server ... (comp.unix.solaris)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-sun  > 2002-08