[1502] in bugtraq
Obtaining NIS domainname from Gatorbox
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Sun Apr 16 06:38:26 1995
Date: Sat, 15 Apr 1995 22:18:48 -0700
From: Dennis Glatting <dennisg@CyberSAFE.COM>
To: To:@btw.CyberSAFE.COM, tfs@vampire.science.gmu.edu
Cc: bugtraq@fc.net
Reply-To: dpg@CyberSAFE.COM
> From: Tim Scanlon <tfs@vampire.science.gmu.edu>
> Date: Thu, 13 Apr 95 20:21:33 -0400
> 
> der Mouse wrote:
> 
> > > Maybe a good reason to join the crowd and not run NIS?
> >
> > I wish.  It's clear to me that NIS is a big problem.  But what else is
> > out there?  We have a definite need to share passwd databases across
> > many machines, from multiple vendors, none of which we have source
> > code to.  How close to a solution can we get?
> 
> There's also NeXT Inc's Netinfo. It's been ported to all
> sorts of other platforms by a company called xedoc.com (I
> think it's xedoc.com.au, as they're down under.) I would
> reccomend taking a serious look at it as an alternate. It
> has more security to it than standard NIS hands down. And
> it's a hell of alot easier to administer than either NIS or
> NIS+, and is far, far more flexible. 
> 
> I've worked extensivly with both, and allthough I will
> readily admit I prefer the NeXT GUI and other aspects of it
> over SunOS, I'm still objective enough to realize that
> there are areas an applications where on OS is going to be
> better than another for certain things. (Like if I'm
> going to do graphics, I'd prefer an SGI over most anything
> else out there) Basicly what I'm trying to say is while I
> belive I'm being very, very objective about my opinions
> on it, don't take my word for it, check it out on your own in
> depth. 
> 
> By no means is it "NIS" but it performs all the same
> functions, plus alot more. I think there may be aspects of
> NIS+ that might be a bit better, like encrypted transfer
> of password maps, but I havn't had the same level of
> experience with NIS+ so I don't want to get into
> comparison there. 
> 
> I would reccomend it completly as being worthy of serious
> consideration as an alternate to NIS, especially in a
> multivendor enviornment that would preclude running
> NIS+ at all or easily. The Xedoc product supports a wide
> variety of vendors systems too. So that's a big plus. 
> 
> One of the best things I can say for it is, I've never heard
> of anyone using, making, or otherwise grabbing a
> password map from netinfo from a totaly alien machine...
> If anyone's heard of this being done, I'd love to hear how &
> under what circumstances. I'm not saying it's not
> possible, but I've seen netinfo frustrate more than one
> hacker, even when they got on a machine using it via other
> means. 
> 
NetInfo isn't as secure as you think. 
-dpg