Re: overcome NIS
- From: "Stachu 'Dozzie' K." <dozzie@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 4 Dec 2005 03:41:44 +0000 (UTC)
On 04.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:
> On Sun, 04 Dec 2005 00:54:03 +0000, Stachu 'Dozzie' K. wrote:
>> On 03.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:
>>> On Sat, 03 Dec 2005 22:05:08 +0000, John Thompson wrote:
>
>> Do you really let in laptops into your internal network?
>
> Well the only network i own is my home LAN and yes i have a laptop.
>
>> Or maybe you connect with bridge/switch wireless network with stationary
>> network?
>
> Wouldn't this effectively make it /one/ network above the media level?
>
>> This _is_ serious design flaw.
>
> ???
We're talking about networks where NIS can do some work, that is
networks requiring some directory services, aren't we? Otherwise NIS is
unnecessary service and leaving it running is exactly the same "good"
idea as leaving Samba, Apache or any other useless service (providing
it's useless in particular case).
>> So now we now that you don't let laptops in.
>
> On other networks then mensioned above: i have no say in such things,
> above and beyond consultancy. But assume it possible and in most places
> not even far fetched ...
>
>> Which other systems can "they" posses? Your desktop systems?
>
> Probably: given some effort.
Then the system admin failed.
> But they need not even try that (just
> crosslink a laptop to one desktop systems NIC, fail a login on it
> logging results on the laptop, spoof thier settings to those and connect
> it to the network - and this is when they'd even care for going undetected.)
As I said, there're no laptops. Laptops are left at the entrance.
Netadmin should provide clear and forcable policy.
>> Do you give to workstation user root access to that workstation?
>
> What's with all the personal questions? Thier irrelevant to the discussion
> as far as i'm concerned.
Right. I've taken you on my sight just because it's easier to me to form
a sentence (at the language level; I don't speak English natively).
Nothing personal. I apologize if you feel offended.
>> I don't think so.
>
> In providing NIS services one iplicitly trusts this to be so. Other
> systems, providing similar functionality, take into account the
> alternative possibility could conceivably be the case, if only for a small
> timeframe. Protecting assets even from legit users with local root access
> on client machines (say tech support admins.)
Serving root through any directory service isn't too smart, I think.
One might try to intercept messages exchanged in authentication
procedure and crack root password offline. I can hardly imagine the
situation _requiring_ serving root account through DS.
>> Can you explain then, how your user could get administrative rights?
>
> Read above (ofcource there are more ways to skim a cat, use your
> imagination.) You can tunnel/wrap/firewall/whatever sure, that's not my
> point. Point though is: NIS doesn't savely account for the possibility...
Of course it doesn't. It wasn't designed to address these possibilities
(NIS+ reportedly was, but there's no NIS+ servers for Linux out there).
It's just its property. But it is not a security flaw itself. The flaw
is not to take this NIS property into an account. I suppose both of us
can agree with that.
--
Feel free to correct my English
Stanislaw Klekot
.
- Follow-Ups:
- Re: overcome NIS
- From: Jan Pompe
- Re: overcome NIS
- References:
- Re: overcome NIS
- From: matt_left_coast
- Re: overcome NIS
- From: Jan Pompe
- Re: overcome NIS
- From: matt_left_coast
- Re: overcome NIS
- From: Greg Metcalfe
- Re: overcome NIS
- From: John Thompson
- Re: overcome NIS
- From: Menno Duursma
- Re: overcome NIS
- From: John Thompson
- Re: overcome NIS
- From: Menno Duursma
- Re: overcome NIS
- From: Stachu 'Dozzie' K.
- Re: overcome NIS
- From: Menno Duursma
- Re: overcome NIS
- Prev by Date: Re: overcome NIS
- Next by Date: Re: overcome NIS
- Previous by thread: Re: overcome NIS
- Next by thread: Re: overcome NIS
- Index(es):
Relevant Pages
|
