On Thu, 2021-10-28 at 10:28 -0400, Frank Ch. Eigler wrote: > Stephen John Smoogen <smo...@gmail.com> writes: > > > Mainly because it is the authentication service equivalent of > > telnet**. Very simple to set up, very simple to use, and very easy to > > steal all the information about logins, users, and setups. [...] > > ... well, compared to what? LDAP commonly distributes crypttext > passwords and databases with about the same amount of discernment and > theft-enablement as ypserv. Plaintext as in telnet makes an appearance > nowhere but with yppasswd, AFAIK, which is nonessential.
LDAP is normally deployed on a secure channel (TLS or GSSAPI), that the client can cryptographically check. NIS is a clear text protocol that can be trivially MitMed to provide arbitrary information to the target system. Also generally LDAP *does not* in fact distribute passwords, most systems use the LDAP Bind operation to test a password and the LDAP server does *not* provide access to password hashes. I thin k it is legitimate to question whether it is yet time to drop this obsolete protocol (NIS) on backwards compatibility grounds. But on security grounds it is indefensible, don't go there. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
