[OpenAFS] Distributing passwd

Derek Atkins derek@ihtfp.com
12 Jun 2003 14:22:46 -0400 

Stephen Joyce <stephen@physics.unc.edu> writes:

> On 11 Jun 2003, Derek Atkins wrote:
> 
> > > It would be wise to think twice (or more!) before deploying NIS due to
> > > security concerns.
> >
> > Ok, what security concerns?  The encrypted password isn't stored there
> > (we use Kerberos) -- you can just put a '*' in there.  So, what
> > particular concerns about NIS are you worried about?
> 
> NIS is notorious (infamous?) for being insecure.  True, many of the
> vulnerabilities seem to have been fixed, and many were related to the
> ability to obtain dumps of the entire database for cracking... but not all
> if I recall.  I seem to remember one that made it (almost) trivial to
> compromise a client by impersonating the nis master, and more than a couple
> of documented DOS vulnerabilities against the nis server process
> (Diclaimer: I haven't used NIS in awhile, so if this is no longer true,
> apologies to the NIS advocates).

Umm, I think _ALL_ of these have to do with storing the encrypted
password entry in the NIS database.  As I said, we're using Kerberos
for authentication so you can leave the password entry as "None"
(e.g. '*' or 'x') in NIS...  So, iterating over the NIS map doesn't
help you (no passwords to crack).  You can't compromise a client
(again, we use Kerberos for authentication, not NIS)...  So you still
have not provided any reasons not to use NIS for _account_
information.

> > > Have you considered simply storing master copies of your passwd, group,
> > > hosts files, etc in AFS and having each client regularly update its local
> > > copy from the master?
> >
> > Ok, how is this any more secure than NIS?  Your client isn't authenticating
> > or encrypting this traffic any more than NIS is.
> 
> There are options, from simply using IP-based acls (almost worthless, I
> know) to having the client script authenticate using a key stored on disk
> (only slightly better)... and unless I'm mistaken OpenAFS can be made to
> encrypt traffic (as can cfengine with some effort).

You can only encrypt AFS traffic if you have a valid token.  This
requires obtaining a token from a keytab stored on the machine.  That
in turn implies all machines are keyed, and you cannot have a
"dataless client" workstation.

> It seems to me that for a small site, managing the files would be easier
> than setting up NIS; large sites should probably consider ldap--it seems to
> be what most of the unix vendors are pushing this week.  But of course,
> there's not a one-size-fits-all solution.

I don't know.  NIS is pretty easy to set up -- certainly MUCH easier
than setting up LDAP, and easier to configure that pulling (or
pushing) files out to all your machines.  Editing a few files and then
doing "cd /var/nis; make" is pretty damn easy, IMHO.  As I mentioned
earlier if you're using Kerberos for authentication then you've
eliminated the vast majority of the security problems with NIS.

> Just my opinion.  Thanks.

Just my (expert?) opinion...

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant