[OpenAFS] Distributing passwd

Stephen Joyce stephen@physics.unc.edu
Wed, 11 Jun 2003 22:00:43 -0400 (EDT)


On 11 Jun 2003, Derek Atkins wrote:

> > It would be wise to think twice (or more!) before deploying NIS due to
> > security concerns.
>
> Ok, what security concerns?  The encrypted password isn't stored there
> (we use Kerberos) -- you can just put a '*' in there.  So, what
> particular concerns about NIS are you worried about?

NIS is notorious (infamous?) for being insecure.  True, many of the
vulnerabilities seem to have been fixed, and many were related to the
ability to obtain dumps of the entire database for cracking... but not all
if I recall.  I seem to remember one that made it (almost) trivial to
compromise a client by impersonating the nis master, and more than a couple
of documented DOS vulnerabilities against the nis server process
(Diclaimer: I haven't used NIS in awhile, so if this is no longer true,
apologies to the NIS advocates).

> > Have you considered simply storing master copies of your passwd, group,
> > hosts files, etc in AFS and having each client regularly update its local
> > copy from the master?
>
> Ok, how is this any more secure than NIS?  Your client isn't authenticating
> or encrypting this traffic any more than NIS is.

There are options, from simply using IP-based acls (almost worthless, I
know) to having the client script authenticate using a key stored on disk
(only slightly better)... and unless I'm mistaken OpenAFS can be made to
encrypt traffic (as can cfengine with some effort).

It seems to me that for a small site, managing the files would be easier
than setting up NIS; large sites should probably consider ldap--it seems to
be what most of the unix vendors are pushing this week.  But of course,
there's not a one-size-fits-all solution.

Just my opinion.  Thanks.

> -derek
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
>

Cheers,
Stephen
--
Stephen Joyce
Systems Administrator                                            P A N I C
Physics & Astronomy Department                         Physics & Astronomy
University of North Carolina at Chapel Hill         Network Infrastructure
voice: (919) 962-7214                                        and Computing
fax: (919) 962-0480                               http://www.panic.unc.edu