[949] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] Alternative to NIS

daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Wed Jul 24 06:42:47 1996

From: Miquel van Smoorenburg <miquels@cistron.nl>
To: boyd@interdim.com (Eric M. Boyd)
Date: Tue, 23 Jul 1996 21:10:59 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.94.960722170759.2806B-100000@insanity.interdim.com> from "Eric M. Boyd" at Jul 22, 96 05:09:29 pm

You (Eric M. Boyd) wrote:
> 
> [REW: NIS uses the "domainname" as a kind of password. Anybody from 
> the whole internet who knows this can access your password file. Take
> care not to choose something like "my.dns.domain.name". What complicates
> the issue is that it is broadcast over your ethernet segment during
> normal operation.]

Not entirely true. Every decent NIS server allows for a "securenets" file
in which you can tell it which nets to trust. In our case, only the lower IP
number of our local class C (1-63) will get a reply from the NIS server, all
others just can't talk to it.

There are some more tricks you should use, such as blocking access to the
portmapper on the router and running a secure portmapper (Wietse Venema's).

Mike.
-- 
  Miquel van    | Cistron Internet Services   --    Alphen aan den Rijn.
  Smoorenburg,  | mailto:info@cistron.nl          http://www.cistron.nl/
miquels@het.net | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)


home help back first fref pref prev next nref lref last post