Re: Replacement for NIS? (was Re: Obtaining NIS domainname from

[J.S.Peatfield () damtp cam ac uk (Jon Peatfield)]

> One's own domainname, nothing.  But someone else knowing your
> domainname gives that someone a significant edge when it comes to
> breaking in to your machines.

Given the more recent versions of ypserv I don't see any major security 
problems left with YP.  i.e the patches which Sun (at least, and maybe HP if 
you believe their docs) produced which tells a ypserv and portmapper which 
machines they should talk to.

Back before these patches one could extract yp maps from a random domain using 
ypxfer, or hand written code but this no longer works with the newer code.

If there are other security hole left please enlighten me.

> > Is there a "better" NIS [...]
>
> I'd be interested in hearing about any such.  I'm almost ready to try
> my hand at writing one myself, but so far the perceived need has not
> yet been sufficient to make me allocate the time.

A good starting point might be the 386/BSD, Linux YP implementation.  Since 
the source is available you can add whatever security measures you like to it. 
 I'm not sure if their ypserv/ypbind are drop-in replacements for the ONC 
versions, (e.g. if the file formatt etc are the same), but it shouldn't be too 
hard to check.

  -- Jon Peatfield  (DAMTP, unix network admin)