LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2011, 01:06 AM   #1
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Rep: Reputation: 38
Security of NIS map files


I have setup a slave NIS server on a laptop. Now I am concerned of the security of the NIS map files in /var/yp/<nisdomain> dir.

If the laptop gets lost and falls in the wrong hands, is it possible to reverse engineer the NIS map files in /var/yp/<nisdomain> and get the user credentials as they reside in /etc/passwd and /etc/shadow?

What other information is possible to retrieve from the NIS map files?
 
Old 03-23-2011, 05:26 AM   #2
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339

Rep: Reputation: 260Reputation: 260Reputation: 260
It's the same like having access to /etc/passwd and /etc/shadow. Just use an editor and peek inside the map files.

Why are you running a NIS slave on a laptop?
 
Old 03-23-2011, 05:31 AM   #3
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Original Poster
Rep: Reputation: 38
The map files are actually non-text files. Anyway, you can actually ypcat to get all the info. So there is a certain amount of risk.

I am running NIS slave on the laptop for offline authentication. The other alternatives I see are caching auth data or local user.
 
Old 03-23-2011, 06:05 AM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339

Rep: Reputation: 260Reputation: 260Reputation: 260
When i use:
Code:
$ vi /var/yp/foobar/shadow.byname
I can clearly see the information when scrolling to the end.
 
Old 03-29-2011, 08:53 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,397

Rep: Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777
NIS is a very old protocol, & was designed to be clear-text. Later, SUN provided a new similar tool NIS+ to handle the same stuff, but encrypted. HOWEVER, by that time most people had moved onto LDAP, which can also be clear text or encrypted.
There's a good LDAP howto (inc TLS ) here http://www.linuxhomenetworking.com/w...DAP_and_RADIUS.
You can ignore the RADIUS section.
 
Old 03-29-2011, 09:08 PM   #6
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by chrism01 View Post
NIS is a very old protocol, & was designed to be clear-text. Later, SUN provided a new similar tool NIS+ to handle the same stuff, but encrypted. HOWEVER, by that time most people had moved onto LDAP, which can also be clear text or encrypted.
There's a good LDAP howto (inc TLS ) here http://www.linuxhomenetworking.com/w...DAP_and_RADIUS.
You can ignore the RADIUS section.
Thanks. Yes, NIS is really an old protocol. However, some of our systems are stilling running NIS.
 
Old 03-30-2011, 08:21 PM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,397

Rep: Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777Reputation: 2777
You have my sympathy. I think even on Solaris these days most people would prob use LDAP+TLS rather than NIS+.
Good Luck
 
Old 03-30-2011, 08:38 PM   #8
the_gripmaster
Member
 
Registered: Jul 2004
Location: VIC, Australia
Distribution: RHEL, CentOS, Ubuntu Server, Ubuntu
Posts: 364

Original Poster
Rep: Reputation: 38
Quote:
Originally Posted by chrism01 View Post
You have my sympathy. I think even on Solaris these days most people would prob use LDAP+TLS rather than NIS+.
Good Luck
Ours are running AIX 5.x
 
  


Reply

Tags
nis security laptop slave


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NIS map update issue. UltraSoul Solaris / OpenSolaris 1 07-04-2007 11:33 AM
Replicating user security definitions with NIS blur AIX 14 03-10-2006 01:19 PM
NIS and Security jhp Linux - Networking 1 10-11-2005 07:24 AM
Maximun NIS Map number for automount jeanpba Linux - Networking 0 02-25-2005 03:26 AM
samba - map winbind users to nis uids and gids bkurnik Linux - Networking 0 09-20-2004 06:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration