Date: Wed, 03 Nov 1999 08:31:32 -0600 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Greg Lewis <glewis@trc.adelaide.edu.au>, freebsd-security@FreeBSD.ORG Subject: Re: Security and NIS - alternatives? Message-ID: <3.0.3.32.19991103083132.01b5fa50@207.227.119.2> In-Reply-To: <199911030811.SAA29824@ares.maths.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:41 PM 11/3/99 +1030, Greg Lewis wrote: >Hi all, > >I am about to undertake setting up a number of FreeBSD workstations and >have been reading up on NIS in the FreeBSD man pages. Statements like the >following in yp(4) concern me somewhat: > > While these enhancements provide better security than stock NIS, they are > by no means 100% effective. It is still possible for someone with access > to your network to spoof the server into disclosing the shadow password > maps. > >I have noted the steps which can be taken to provide better security than >standard, but the fact that holes remain is a concern. I also note that >NIS+ doesn't appear to be currently supported. > >This is not meant to be a complaint, I simply wish to ask if there is a >more secure alternative? I'd like one where passwords were not sent over >the network except via something like SSL or an ssh tunnel. Or run a separate network for passing NIS information and block NIS queries on the "primary" network visible to the world. Could do the same for other services as well. And there is the ever popular do-not-allow-shell-accounts method, but your mention of workstations limits either of these solutions. Have you considered SKIP? Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19991103083132.01b5fa50>