[1505] in bugtraq
Re: Replacement for NIS? (was Re: Obtaining NIS domainname from
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Sun Apr 16 14:34:33 1995
To: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
Cc: jp107@damtp.cam.ac.uk, bugtraq@fc.net
In-Reply-To: Your message of "Wed, 12 Apr 1995 19:03:32 EDT."
<199504122303.TAA12299@Collatz.McRCIM.McGill.EDU>
Date: Sat, 15 Apr 1995 16:35:13 +0100
From: Jon Peatfield <J.S.Peatfield@damtp.cam.ac.uk>
> One's own domainname, nothing. But someone else knowing your
> domainname gives that someone a significant edge when it comes to
> breaking in to your machines.
Given the more recent versions of ypserv I don't see any major security
problems left with YP. i.e the patches which Sun (at least, and maybe HP if
you believe their docs) produced which tells a ypserv and portmapper which
machines they should talk to.
Back before these patches one could extract yp maps from a random domain using
ypxfer, or hand written code but this no longer works with the newer code.
If there are other security hole left please enlighten me.
> > Is there a "better" NIS [...]
>
> I'd be interested in hearing about any such. I'm almost ready to try
> my hand at writing one myself, but so far the perceived need has not
> yet been sufficient to make me allocate the time.
A good starting point might be the 386/BSD, Linux YP implementation. Since
the source is available you can add whatever security measures you like to it.
I'm not sure if their ypserv/ypbind are drop-in replacements for the ONC
versions, (e.g. if the file formatt etc are the same), but it shouldn't be too
hard to check.
-- Jon Peatfield (DAMTP, unix network admin)
