LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security of NIS map files (https://www.linuxquestions.org/questions/linux-security-4/security-of-nis-map-files-869908/)

the_gripmaster 03-21-2011 02:06 AM

Security of NIS map files
 
I have setup a slave NIS server on a laptop. Now I am concerned of the security of the NIS map files in /var/yp/<nisdomain> dir.

If the laptop gets lost and falls in the wrong hands, is it possible to reverse engineer the NIS map files in /var/yp/<nisdomain> and get the user credentials as they reside in /etc/passwd and /etc/shadow?

What other information is possible to retrieve from the NIS map files?

Reuti 03-23-2011 06:26 AM

It's the same like having access to /etc/passwd and /etc/shadow. Just use an editor and peek inside the map files.

Why are you running a NIS slave on a laptop?

the_gripmaster 03-23-2011 06:31 AM

The map files are actually non-text files. Anyway, you can actually ypcat to get all the info. So there is a certain amount of risk.

I am running NIS slave on the laptop for offline authentication. The other alternatives I see are caching auth data or local user.

Reuti 03-23-2011 07:05 AM

When i use:
Code:

$ vi /var/yp/foobar/shadow.byname
I can clearly see the information when scrolling to the end.

chrism01 03-29-2011 09:53 PM

NIS is a very old protocol, & was designed to be clear-text. Later, SUN provided a new similar tool NIS+ to handle the same stuff, but encrypted. HOWEVER, by that time most people had moved onto LDAP, which can also be clear text or encrypted.
There's a good LDAP howto (inc TLS ) here http://www.linuxhomenetworking.com/w...DAP_and_RADIUS.
You can ignore the RADIUS section.

the_gripmaster 03-29-2011 10:08 PM

Quote:

Originally Posted by chrism01 (Post 4308069)
NIS is a very old protocol, & was designed to be clear-text. Later, SUN provided a new similar tool NIS+ to handle the same stuff, but encrypted. HOWEVER, by that time most people had moved onto LDAP, which can also be clear text or encrypted.
There's a good LDAP howto (inc TLS ) here http://www.linuxhomenetworking.com/w...DAP_and_RADIUS.
You can ignore the RADIUS section.

Thanks. Yes, NIS is really an old protocol. However, some of our systems are stilling running NIS.

chrism01 03-30-2011 09:21 PM

You have my sympathy. I think even on Solaris these days most people would prob use LDAP+TLS rather than NIS+.
Good Luck
:)

the_gripmaster 03-30-2011 09:38 PM

Quote:

Originally Posted by chrism01 (Post 4309079)
You have my sympathy. I think even on Solaris these days most people would prob use LDAP+TLS rather than NIS+.
Good Luck
:)

Ours are running AIX 5.x


All times are GMT -5. The time now is 04:28 AM.