Re: Replacement for NIS? (was Re: Obtaining NIS domainname from

[afx () ibm de (Andreas Siegert)]

> > One's own domainname, nothing.  But someone else knowing your
> > domainname gives that someone a significant edge when it comes to
> > breaking in to your machines.
>
> Given the more recent versions of ypserv I don't see any major security 
> problems left with YP.  i.e the patches which Sun (at least, and maybe HP if 
> you believe their docs) produced which tells a ypserv and portmapper which 
> machines they should talk to.
>
> Back before these patches one could extract yp maps from a random domain using 
> ypxfer, or hand written code but this no longer works with the newer code.
>
> If there are other security hole left please enlighten me.

Any user on the legal hosts still can get encrypted passwords.
No password aging and password quality control mechanism in heterogenious
environments.
The host based access control in ypserv can be easily circumvented by adding
your own system to the local LAN and spoofing an address.

The changes sure protect against attacks from remote sites, but local security
is still very low.

bye
afx

-- 
Andreas Siegert       afx () ibm de / afx () barolo ak munich ibm com / AFX at IPNET
Every time we've moved ahead in IBM, it was because someone was willing to take
a chance, put his head on the block, and try something new - Thomas Watson, Jr.