Re: overcome NIS

On 04.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:
> On Sun, 04 Dec 2005 00:54:03 +0000, Stachu 'Dozzie' K. wrote:
>> On 03.12.2005, Menno Duursma <menno@xxxxxxxxxxx> wrote:
>>> On Sat, 03 Dec 2005 22:05:08 +0000, John Thompson wrote:
>> Do you really let in laptops into your internal network?
> Well the only network i own is my home LAN and yes i have a laptop.
>> Or maybe you connect with bridge/switch wireless network with stationary
>> network?
> Wouldn't this effectively make it /one/ network above the media level?
>> This _is_ serious design flaw.
> ???

We're talking about networks where NIS can do some work, that is
networks requiring some directory services, aren't we? Otherwise NIS is
unnecessary service and leaving it running is exactly the same "good"
idea as leaving Samba, Apache or any other useless service (providing
it's useless in particular case).

>> So now we now that you don't let laptops in.
> On other networks then mensioned above: i have no say in such things,
> above and beyond consultancy. But assume it possible and in most places
> not even far fetched ...
>> Which other systems can "they" posses? Your desktop systems?
> Probably: given some effort.

Then the system admin failed.

> But they need not even try that (just
> crosslink a laptop to one desktop systems NIC, fail a login on it
> logging results on the laptop, spoof thier settings to those and connect
> it to the network - and this is when they'd even care for going undetected.)

As I said, there're no laptops. Laptops are left at the entrance.
Netadmin should provide clear and forcable policy.

>> Do you give to workstation user root access to that workstation?
> What's with all the personal questions? Thier irrelevant to the discussion
> as far as i'm concerned.

Right. I've taken you on my sight just because it's easier to me to form
a sentence (at the language level; I don't speak English natively).
Nothing personal. I apologize if you feel offended.

>> I don't think so.
> In providing NIS services one iplicitly trusts this to be so. Other
> systems, providing similar functionality, take into account the
> alternative possibility could conceivably be the case, if only for a small
> timeframe. Protecting assets even from legit users with local root access
> on client machines (say tech support admins.)

Serving root through any directory service isn't too smart, I think.
One might try to intercept messages exchanged in authentication
procedure and crack root password offline. I can hardly imagine the
situation _requiring_ serving root account through DS.

>> Can you explain then, how your user could get administrative rights?
> Read above (ofcource there are more ways to skim a cat, use your
> imagination.) You can tunnel/wrap/firewall/whatever sure, that's not my
> point. Point though is: NIS doesn't savely account for the possibility...

Of course it doesn't. It wasn't designed to address these possibilities
(NIS+ reportedly was, but there's no NIS+ servers for Linux out there).
It's just its property. But it is not a security flaw itself. The flaw
is not to take this NIS property into an account. I suppose both of us
can agree with that.

Feel free to correct my English
Stanislaw Klekot

Relevant Pages

  • Re: Is VMS losing the Financial Sector, also?
    ... the web from the server. ... I suggested using only localhost or a private network but, ... In the Army we call that Risk Management and it can be applied to ... I was talking about business laptops that are locked down. ...
  • Re: root loggin in to console without network?
    ... even root on console is not able to log in to the ... So I have to plug in the network cable, ... > all other users are via NIS. ... disabling NIS before unplugging the ...
  • Re: root loggin in to console without network?
    ... even root on console is not able to log in to the ... So I have to plug in the network cable, ... > all other users are via NIS. ... disabling NIS before unplugging the ...
  • RE: Home laptops on a corporate network
    ... Home laptops on a corporate network ... One of the advantages of using SMS for patch management is you can force ...
  • Re: How to remove users "only" on NIS database?
    ... In the beginning hashed passwords were in the /etc/passwd file. ... that information over the network. ... Therefore with NIS the shadow file is made available. ... won't have local root. ...