Re: NIS password hashes fails from Redhat/Mandriva Linux
El Jan 12, 2012, a las 18:32, Bichoy Waguih escribió: > I highly appreciate your support and suggestions. > > -Bichoy Disregarding the fact that your question is probably off topic, I'll try to point you in a direction that might help you. You may want to submit this to a "user" list or use a forum. 1. getent passwd returns the remote users too? 2. if not, check nsswitch.conf and other related files (Pam module config, libs/plugins etc...) 3. if yes, try login from console, ssh or su. they use different config from Pam.d and they might need to be updated. 4. don't forget to check security/limits.comf It could also be some config or binary having the wrong permissions. You would have a better idea of when this box was built and if it might have been modified. I would install on a clean machine and try from there. Hope that helps. -- Luis Mondesí -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3ac067f9-673b-49e7-bff2-6423a635f...@gmail.com
Re: NIS password hashes fails from Redhat/Mandriva Linux
On 01/12/12 17:32, Bichoy Waguih wrote: > Hello Debian World, > > I have a small problem with Debian NIS authentication. Mainly, I have NIS > server running on a Mandriva Linux machine and I want to configure a > Debian > machine to be a client for this NIS server. > > The Debian client receives the 'passwd' table correctly and I am able > to check > it with the 'ypcat' command. However, users can not login with their > passwords > at all (I made sure that I have the correct + records added to the > end of > /etc/passwd, /etc/shadow and /etc/group). > > Tracking down the problem, I tried to create a user on the Debian > machine and > its /etc/shadow record to the NIS server. The user was able to login > correctly. > > I believe there are two problem with this mixing: > 1 - Debian password hashing/shadowing algorithm is different from the > one used > by the NIS server on the old Mandriva server. The hashing is well defined for most systems, take a look at the hashes. You can tell a lot about a hash by it's size, if it's less then 10 bytes you should have every one change there password! After that the first few bytes should identify what type of hash it is, knowing that you can cheek compatibility. You should consider forcing Mandriva to make use of new hashing technologies, as this could be a security threat. man crypt; # This should explain what the different options are. Taken from Debian. Format: $id$salt$encrypted ID | Method - 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) Let us know more about your hashes for further help! 5 (IMHO) is becoming less and less secure as processor technologies increase. > 2 - The normal user UID range for Debian is >= 1000, where the old > Mandriva > server uses >= 500. > One GOOD idea when using NIS/LDAP/ect is to NOT make use of default UID GID ranges for your NIS. 65000-65533: is marked as Reserved. I'm not sure if that means these are here for you to use or if that means that these are here for Debian to make use of later. In any case map your NIS/LDAP accounts such that they don't intrerfere with any local created accounts, I.E 500++ and 1000++. Instead start your allocation at 21000 or 31000 as the 1000-5 is allocated in Debian to adduser... You can tell adduser not to use anything above 2. To make things simpler on your self you can just add 20k to your existing NIS accounts. This will make sure adduser still functions as it should every where. > Unfortunately, I need to find a work around to adjust Debian password > coding > and acceptable normal user UID range so that it can work with the old > Mandriva > Server as I am not allowed to proceed with server OS replacement at > the current > time. > > I highly appreciate your support and suggestions. > > -Bichoy > > > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f0f81c9.6090...@mikemestnik.net
NIS password hashes fails from Redhat/Mandriva Linux
Hello Debian World, I have a small problem with Debian NIS authentication. Mainly, I have NIS server running on a Mandriva Linux machine and I want to configure a Debian machine to be a client for this NIS server. The Debian client receives the 'passwd' table correctly and I am able to check it with the 'ypcat' command. However, users can not login with their passwords at all (I made sure that I have the correct + records added to the end of /etc/passwd, /etc/shadow and /etc/group). Tracking down the problem, I tried to create a user on the Debian machine and its /etc/shadow record to the NIS server. The user was able to login correctly. I believe there are two problem with this mixing: 1 - Debian password hashing/shadowing algorithm is different from the one used by the NIS server on the old Mandriva server. 2 - The normal user UID range for Debian is >= 1000, where the old Mandriva server uses >= 500. Unfortunately, I need to find a work around to adjust Debian password coding and acceptable normal user UID range so that it can work with the old Mandriva Server as I am not allowed to proceed with server OS replacement at the current time. I highly appreciate your support and suggestions. -Bichoy
Re: PAM/NIS problem: can't login in with NIS users
Sorry folks, it's always the same: If you got eyes like a mole, you should better look twice! ;-) It's just like Daniel Barlow wrote in his diary http://ww.telent.net/diary/2003/1/ : and another useless error message for the collection: Jan 29 15:16:52 eval sshd[878]: PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info. (In this case, it turns out to mean "when you renamed the user you're trying to ssh in as, you forgot to update the shadow file") ...so I checked /etc/shadow again and realized, that there ought to be 8 (eight) '+' signs behind the colon: + I just had seven and that was causing the error. :-/
Re: PAM/NIS problem: can't login in with NIS users
Sorry folks, it's always the same: If you got eyes like a mole, you should better look twice! ;-) It's just like Daniel Barlow wrote in his diary http://ww.telent.net/diary/2003/1/ : and another useless error message for the collection: Jan 29 15:16:52 eval sshd[878]: PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info. (In this case, it turns out to mean "when you renamed the user you're trying to ssh in as, you forgot to update the shadow file") ...so I checked /etc/shadow again and realized, that there ought to be 8 (eight) '+' signs behind the colon: + I just had seven and that was causing the error. :-/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PAM/NIS problem: can't login in with NIS users
Jean Christophe ANDRÉ wrote: Hi, Le jeudi 26 février 2004 à 16h34 (+0100), Christoph Pohl écrivait : Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows our password db, but i still can't log in as one of those NIS users, neither local, nor remote (SSH). Check "getent passwd" too, since it is the libc call used to find users. May be you just forgot to put "nis" in /etc/nsswitch.conf? 'getent passwd' returns a complete mixture of local and domain accounts. I tried 2 configurations for /etc/nsswitch.conf, which both don't work: 1) (which actually works well on another box!) # /etc/nsswitch.conf passwd: compat group: compat shadow: compat hosts: files dns nis networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis 2) (taken from suggestions on NIS-related sites) # /etc/nsswitch.conf passwd: compat group: compat shadow: compat passwd_compat: nis group_compat: nis shadow_compat: nis hosts: files nis dns services: nis [NOTFOUND=return] db files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] db files rpc:nis [NOTFOUND=return] db files ethers: nis [NOTFOUND=return] db files netmasks: nis [NOTFOUND=return] files netgroup: nis bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files automount: files aliases:nis [NOTFOUND=return] files
Re: PAM/NIS problem: can't login in with NIS users
Jean Christophe ANDRÃ wrote: Hi, Le jeudi 26 fÃvrier 2004 Ã 16h34 (+0100), Christoph Pohl Ãcrivait : Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows our password db, but i still can't log in as one of those NIS users, neither local, nor remote (SSH). Check "getent passwd" too, since it is the libc call used to find users. May be you just forgot to put "nis" in /etc/nsswitch.conf? 'getent passwd' returns a complete mixture of local and domain accounts. I tried 2 configurations for /etc/nsswitch.conf, which both don't work: 1) (which actually works well on another box!) # /etc/nsswitch.conf passwd: compat group: compat shadow: compat hosts: files dns nis networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis 2) (taken from suggestions on NIS-related sites) # /etc/nsswitch.conf passwd: compat group: compat shadow: compat passwd_compat: nis group_compat: nis shadow_compat: nis hosts: files nis dns services: nis [NOTFOUND=return] db files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] db files rpc:nis [NOTFOUND=return] db files ethers: nis [NOTFOUND=return] db files netmasks: nis [NOTFOUND=return] files netgroup: nis bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files automount: files aliases:nis [NOTFOUND=return] files -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PAM/NIS problem: can't login in with NIS users
Hi, I'm trying to integrate a Debian unstable client into our NIS/YP domain since a couple of days now. I first tried to follow http://www.tldp.org/HOWTO/NIS-HOWTO/settingup_client.html which worked quite well for another client in the past. Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows our password db, but i still can't log in as one of those NIS users, neither local, nor remote (SSH). /var/log/auth.log shows either this: Feb 26 15:15:20 xyz sshd[1860]: PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info. Feb 26 15:15:20 xyz sshd[1860]: fatal: monitor_read: unsupported request: 24 or that: Feb 26 10:45:54 xyz ssh(pam_unix)[2258]: check pass; user unknown Feb 26 10:45:54 xyz ssh(pam_unix)[2258]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=somehost Feb 26 10:45:55 xyz sshd[2258]: Failed password for user1 from 192.168.0.2 port 52973 ssh2 Kernel 2.6.3, # CONFIG_SECURITY is not set glibc 2.3.2.ds-11 libnss-db 2.2-6.2 libpam0g 0.76-15 The config is exactly the same as on the other client that's working. I'm gradually running out of ideas and I'm desperately looking for help! Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PAM/NIS problem: can't login in with NIS users
Hi, Le jeudi 26 fÃvrier 2004 à 16h34 (+0100), Christoph Pohl Ãcrivait : > Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows > our password db, but i still can't log in as one of those NIS users, > neither local, nor remote (SSH). Check "getent passwd" too, since it is the libc call used to find users. May be you just forgot to put "nis" in /etc/nsswitch.conf? Best regards, -- J.C. "" ANDRà <[EMAIL PROTECTED]> http://www.vn.refer.org/ Coordonnateur technique rÃgional / Associà technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Là ThÃnh TÃng, T.T. HoÃn Kiám, Hà Nái, Viát Nam TÃl. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 â Note personnelle : merci d'Ãviter de m'envoyer des fichiers PowerPoint â â ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PAM/NIS problem: can't login in with NIS users
Hi, Le jeudi 26 février 2004 à 16h34 (+0100), Christoph Pohl écrivait : > Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows > our password db, but i still can't log in as one of those NIS users, > neither local, nor remote (SSH). Check "getent passwd" too, since it is the libc call used to find users. May be you just forgot to put "nis" in /etc/nsswitch.conf? Best regards, -- J.C. "プログフ" ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/ Coordonnateur technique régional / Associé technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam Tél. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 ⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint ⎫ ⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭
PAM/NIS problem: can't login in with NIS users
Hi, I'm trying to integrate a Debian unstable client into our NIS/YP domain since a couple of days now. I first tried to follow http://www.tldp.org/HOWTO/NIS-HOWTO/settingup_client.html which worked quite well for another client in the past. Now 'ypdomainname' returns the correct domain and 'ypcat passwd' shows our password db, but i still can't log in as one of those NIS users, neither local, nor remote (SSH). /var/log/auth.log shows either this: Feb 26 15:15:20 xyz sshd[1860]: PAM rejected by account configuration[9]: Authentication service cannot retrieve authentication info. Feb 26 15:15:20 xyz sshd[1860]: fatal: monitor_read: unsupported request: 24 or that: Feb 26 10:45:54 xyz ssh(pam_unix)[2258]: check pass; user unknown Feb 26 10:45:54 xyz ssh(pam_unix)[2258]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=somehost Feb 26 10:45:55 xyz sshd[2258]: Failed password for user1 from 192.168.0.2 port 52973 ssh2 Kernel 2.6.3, # CONFIG_SECURITY is not set glibc 2.3.2.ds-11 libnss-db 2.2-6.2 libpam0g 0.76-15 The config is exactly the same as on the other client that's working. I'm gradually running out of ideas and I'm desperately looking for help! Christoph
Re: pam doesn't see nis
Quoting Jamie Heilman <[EMAIL PROTECTED]>: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 > Thanks for the help on the NIS problem -- it's a known bug in sid (glibc/libc6 most likely). Sid sometimes gets mistaken for the boy next door who destroys toys, quite unfairly. He's the guy in the choir, with a very occasional spitball. Cheers, Peter
Re: pam doesn't see nis
Quoting Jamie Heilman <[EMAIL PROTECTED]>: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 > Thanks for the help on the NIS problem -- it's a known bug in sid (glibc/libc6 most likely). Sid sometimes gets mistaken for the boy next door who destroys toys, quite unfairly. He's the guy in the choir, with a very occasional spitball. Cheers, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: > I guess you just have to add +:: in /etc/passwd; + in > /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: pam doesn't see nis
* Huegesh Marimuthu ([EMAIL PROTECTED]) [030820 13:35]: > I guess you just have to add +:: in /etc/passwd; + in > /etc/shadow and it will be okay. Wrong. This was even deprecated when I started using Linux in 1996. No, nis is just broken on sid. See e.g. http://bugs.debian.org/204682 To the original poster: If you want really working code, take woody. Security updates are also only for woody. It is appreciated if you help testing and bug fixing, but it is not recommended for production use. And please remember - sid is the boy next door who destroys toys. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pam doesn't see nis
I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Your sincerely, Huegesh Marimuthu On Wed, 20 Aug 2003, Peter Nome wrote: > > I've been running into a problem with NIS on Debian -- everything looks like > it should be working, but logins fail with pam saying "user unknown". > > Here's an example -- I can change the password, so clearly NIS is working, > yet at the end the login fails: > > [EMAIL PROTECTED]:~# yppasswd student > Changing NIS account information for student on graywhale. > Please enter root password: > Changing NIS password for student on graywhale. > Please enter new password: > Please retype new password: > > The NIS password has been changed on graywhale. > > [EMAIL PROTECTED]:~# su student > su: Authentication service cannot retrieve authentication info. > (Ignored) > [EMAIL PROTECTED]:/root$ > > Here's what my auth.log says when I try ssh jellyfish -l student: > > Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown > Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; > logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale > > I saw someone post the identical problem to debian-users (and receive no > reply), so I guess it affects a number of people. > > Oh, and I should mention: I had this working! Late July, after the last nis > upgrade. I did some other upgrade, no idea what, and got the problem. ypcat > passwd and all kinds of other NIS map commands work fine. > > This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a > high school lab (remotely), and we're all ready to go aside from this. > > Please cc me -- any suggestions much appreciated! I'm happy to suppy more > information. > > Cheers, > Peter > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: pam doesn't see nis
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711
Re: pam doesn't see nis
I guess you just have to add +:: in /etc/passwd; + in /etc/shadow and it will be okay. Your sincerely, Huegesh Marimuthu On Wed, 20 Aug 2003, Peter Nome wrote: > > I've been running into a problem with NIS on Debian -- everything looks like it > should be working, but logins fail with pam saying "user unknown". > > Here's an example -- I can change the password, so clearly NIS is working, yet at > the end the login fails: > > [EMAIL PROTECTED]:~# yppasswd student > Changing NIS account information for student on graywhale. > Please enter root password: > Changing NIS password for student on graywhale. > Please enter new password: > Please retype new password: > > The NIS password has been changed on graywhale. > > [EMAIL PROTECTED]:~# su student > su: Authentication service cannot retrieve authentication info. > (Ignored) > [EMAIL PROTECTED]:/root$ > > Here's what my auth.log says when I try ssh jellyfish -l student: > > Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown > Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= > uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale > > I saw someone post the identical problem to debian-users (and receive no reply), so > I guess it affects a number of people. > > Oh, and I should mention: I had this working! Late July, after the last nis upgrade. > I did some other upgrade, no idea what, and got the problem. ypcat passwd and all > kinds of other NIS map commands work fine. > > This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high > school lab (remotely), and we're all ready to go aside from this. > > Please cc me -- any suggestions much appreciated! I'm happy to suppy more > information. > > Cheers, > Peter > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
pam doesn't see nis
I've been running into a problem with NIS on Debian -- everything looks like it should be working, but logins fail with pam saying "user unknown". Here's an example -- I can change the password, so clearly NIS is working, yet at the end the login fails: [EMAIL PROTECTED]:~# yppasswd student Changing NIS account information for student on graywhale. Please enter root password: Changing NIS password for student on graywhale. Please enter new password: Please retype new password: The NIS password has been changed on graywhale. [EMAIL PROTECTED]:~# su student su: Authentication service cannot retrieve authentication info. (Ignored) [EMAIL PROTECTED]:/root$ Here's what my auth.log says when I try ssh jellyfish -l student: Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale I saw someone post the identical problem to debian-users (and receive no reply), so I guess it affects a number of people. Oh, and I should mention: I had this working! Late July, after the last nis upgrade. I did some other upgrade, no idea what, and got the problem. ypcat passwd and all kinds of other NIS map commands work fine. This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high school lab (remotely), and we're all ready to go aside from this. Please cc me -- any suggestions much appreciated! I'm happy to suppy more information. Cheers, Peter
Re: pam doesn't see nis
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=204711 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
pam doesn't see nis
I've been running into a problem with NIS on Debian -- everything looks like it should be working, but logins fail with pam saying "user unknown". Here's an example -- I can change the password, so clearly NIS is working, yet at the end the login fails: [EMAIL PROTECTED]:~# yppasswd student Changing NIS account information for student on graywhale. Please enter root password: Changing NIS password for student on graywhale. Please enter new password: Please retype new password: The NIS password has been changed on graywhale. [EMAIL PROTECTED]:~# su student su: Authentication service cannot retrieve authentication info. (Ignored) [EMAIL PROTECTED]:/root$ Here's what my auth.log says when I try ssh jellyfish -l student: Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: check pass; user unknown Aug 20 01:02:51 jellyfish ssh(pam_unix)[21143]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=graywhale I saw someone post the identical problem to debian-users (and receive no reply), so I guess it affects a number of people. Oh, and I should mention: I had this working! Late July, after the last nis upgrade. I did some other upgrade, no idea what, and got the problem. ypcat passwd and all kinds of other NIS map commands work fine. This is an updated Debian sid running nis 3.9-6.3. I'm setting this up for a high school lab (remotely), and we're all ready to go aside from this. Please cc me -- any suggestions much appreciated! I'm happy to suppy more information. Cheers, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
NIS (mis)configuration and MySQL alternative.
Hi, I'm using NIS on my network. It's locked down as much as it can be from the outside world (ipfilter and tcp_wrappers) but I've just noticed any normal use can use ypcat to look at the shadow map and obviously be able to see other users encrypted passwords. Although root isn't listed it's still a security risk for other users. Is it possible to stop any normal user from viewing the shadow map, via ypcat? I've also been looking in to alternatives to NIS (although NIS works very well, it's not the most of secure ways as I've said above!). LDAP is one way but I'm not confident enough to try this - I don't have any knowledge of it and when I tried it on a test network, it was a nightmare and didn't work 100%. Documentation seems a bit thin and/or out-of-date currently. Anyway, I searched for some alternatives on freshmeat and one that uses MySQL and nsswitch came up. It's also possible to use encryption (SSL/SSH IIRC) for the connection. Has anyone tried this? Feedback most welcome :) Thanks and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpdSmxPo7Cng.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Thanx for the input everybody, I think that from now on I will at least recommend to my clients about using ldap instead. Bye -- Haim
Re: OT: Is it so easy to break into an NIS?
Thanx for the input everybody, I think that from now on I will at least recommend to my clients about using ldap instead. Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > you might be thinking of Arla, which is a completely independent > opensource afs client. http://www.stacken.kth.se/projekt/arla/ Nope. Last I heard, Arla was going nowhere, on account of lost mindshare when IBM/Transrc put OpenAFS under the IBM PL. Has that changed? -- Cheers, "Not using Microsoft products is like being a non-smoker Rick Moen 40 or 50 years ago: You can choose not to smoke, yourself, [EMAIL PROTECTED] but it's hard to avoid second-hand smoke." -- M. Tiemann
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Quoting seph ([EMAIL PROTECTED]): > >> depends what you mean by free. Are you aware of openafs? >> http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ (okay, so they also have an experimental afs server, but it's not stable) seph
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > you might be thinking of Arla, which is a completely independent > opensource afs client. http://www.stacken.kth.se/projekt/arla/ Nope. Last I heard, Arla was going nowhere, on account of lost mindshare when IBM/Transrc put OpenAFS under the IBM PL. Has that changed? -- Cheers, "Not using Microsoft products is like being a non-smoker Rick Moen 40 or 50 years ago: You can choose not to smoke, yourself, [EMAIL PROTECTED] but it's hard to avoid second-hand smoke." -- M. Tiemann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Quoting seph ([EMAIL PROTECTED]): > >> depends what you mean by free. Are you aware of openafs? >> http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ (okay, so they also have an experimental afs server, but it's not stable) seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpLZMxSvRXa8.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Hanasaki JiJi wrote: What is OpenAFS vs CODA? IIRC CODA has the limitation of needing 4% of volume size in RAM. And performance is very bad (IIRC like 150 kbytes/sec max on pentium 400). On a second thought: This was in a fully redundant setup - probably it has better performance in other setups. regards, Thiemo Nagel [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: > What is OpenAFS vs CODA? > > [EMAIL PROTECTED] wrote: > > On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > > > >>Quoting seph ([EMAIL PROTECTED]): > >> > >> > >>>depends what you mean by free. Are you aware of openafs? > >>>http://www.openafs.org > >> > >>That is of course derived from the IBM Transarc software. Hmmm. Some > >>while back, I'd been lead to believe that only client-end software was > >>available in open source. A quick perusal of that site plus some Google > >>hits suggests that such is not the case now, if it ever was. Can > >>someone confirm from experience that AFS can be done with all open > >>source, both ends? (Yes, I do consider IBM PL code to qualify.) > > > > > > Yes, both sides are fully opensource now. > > > > Tim > > > > -- > = > = Management is doing things right; leadership is doing the = > = right things.- Peter Drucker= > =___= > = http://www.sun.com/service/sunps/jdc/javacenter.pdf = > = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = > = > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Hanasaki JiJi wrote: What is OpenAFS vs CODA? IIRC CODA has the limitation of needing 4% of volume size in RAM. And performance is very bad (IIRC like 150 kbytes/sec max on pentium 400). On a second thought: This was in a fully redundant setup - probably it has better performance in other setups. regards, Thiemo Nagel [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: > What is OpenAFS vs CODA? > > [EMAIL PROTECTED] wrote: > > On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > > > >>Quoting seph ([EMAIL PROTECTED]): > >> > >> > >>>depends what you mean by free. Are you aware of openafs? > >>>http://www.openafs.org > >> > >>That is of course derived from the IBM Transarc software. Hmmm. Some > >>while back, I'd been lead to believe that only client-end software was > >>available in open source. A quick perusal of that site plus some Google > >>hits suggests that such is not the case now, if it ever was. Can > >>someone confirm from experience that AFS can be done with all open > >>source, both ends? (Yes, I do consider IBM PL code to qualify.) > > > > > > Yes, both sides are fully opensource now. > > > > Tim > > > > -- > = > = Management is doing things right; leadership is doing the = > = right things.- Peter Drucker= > =___= > = http://www.sun.com/service/sunps/jdc/javacenter.pdf = > = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = > = > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > depends what you mean by free. Are you aware of openafs? > http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Tarjei Huse ([EMAIL PROTECTED]): > Doesn't NFS v4 answer some of these problems? Certainly it does when/if fully implemented. When last I checked, the U. of Michigan development effort for Linux were still pretty far from production code. -- Cheers, kill -9 them all. Rick Moen Let init sort it out. [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Networks needing a greater degree of privacy and authentication can try > AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei
Re: OT: Is it so easy to break into an NIS?
Quoting Tarjei Huse ([EMAIL PROTECTED]): > Doesn't NFS v4 answer some of these problems? Certainly it does when/if fully implemented. When last I checked, the U. of Michigan development effort for Linux were still pretty far from production code. -- Cheers, kill -9 them all. Rick Moen Let init sort it out. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > depends what you mean by free. Are you aware of openafs? > http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Networks needing a greater degree of privacy and authentication can try > AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Is it so easy to break into an NIS?
yes NIS+ is a bit better, but basically its in-adequate security wise. It should not be considered for a new system/network IMHO. regards Steven -Original Message- From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] Sent: Wednesday, 19 March 2003 12:30 To: Debian Security Subject: OT: Is it so easy to break into an NIS? Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): > A friend just asked me this question and I got curious. say I'm > equipped with a linux laptop and some knowledge, I can walk into a > company that uses NIS, find out the settings (NISDOMAIN, free ip > address, etc...) and join their domain. now I can login as root on my > computer, su to any user and see/change/delete his files. is it that > easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser
Re: OT: Is it so easy to break into an NIS?
On Tuesday 18 March 2003 04:13 pm, Haim Ashkenazi wrote: > Hi Hello, > A friend just asked me this question and I got curious. say I'm equipped > with a linux laptop and some knowledge, I can walk into a company that uses > NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join > their domain. now I can login as root on my computer, su to any user and > see/change/delete his files. is it that easy? Yes, quite. NIS uses no authentication whatsoever. > of-course, administrators should protect their mounts with netgroups > permissions, and users should protect their important files with > encryption, but how many of these you see? Not many. The problems you describe above are well-known. > any ideas? suggestions? Use LDAP and Kerberos instead of NIS. They are equally or better supported in every situation I know of. - Keegan
OT: Is it so easy to break into an NIS?
Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim
RE: Is it so easy to break into an NIS?
yes NIS+ is a bit better, but basically its in-adequate security wise. It should not be considered for a new system/network IMHO. regards Steven -Original Message- From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] Sent: Wednesday, 19 March 2003 12:30 To: Debian Security Subject: OT: Is it so easy to break into an NIS? Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): > A friend just asked me this question and I got curious. say I'm > equipped with a linux laptop and some knowledge, I can walk into a > company that uses NIS, find out the settings (NISDOMAIN, free ip > address, etc...) and join their domain. now I can login as root on my > computer, su to any user and see/change/delete his files. is it that > easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Tuesday 18 March 2003 04:13 pm, Haim Ashkenazi wrote: > Hi Hello, > A friend just asked me this question and I got curious. say I'm equipped > with a linux laptop and some knowledge, I can walk into a company that uses > NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join > their domain. now I can login as root on my computer, su to any user and > see/change/delete his files. is it that easy? Yes, quite. NIS uses no authentication whatsoever. > of-course, administrators should protect their mounts with netgroups > permissions, and users should protect their important files with > encryption, but how many of these you see? Not many. The problems you describe above are well-known. > any ideas? suggestions? Use LDAP and Kerberos instead of NIS. They are equally or better supported in every situation I know of. - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
OT: Is it so easy to break into an NIS?
Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS(Client && Server) + Security
> One last thing: What links do you sugest to read about this matter (NIS) and > what better tools exist for this kind of job? I don't really have any links, I'm just going by what my experience has been. The NIS security issues are well known, I'm sure a google search will turn up scads of information. NIS is almost the only option though if you require on-the-fly user replication between multiple different kinds of unix hosts. None of the BSDs that I know of have implemented a flexible SYSV-like name service switch yet, (there was a FreeBSD guy who was promising to do it but last I heard there was no public code, I haven't looked at 5.0 yet though) which is pretty much required to start stitching things like LDAP directly to your libc routines. Glibc supports this so its a given for environments that use it. Solaris >= 2.7 supports it *I think* ... its been a while since I dealt with that. Padl software makes both NSS and PAM hooks for LDAP, freely available to the linux community. (Not the best security record sadly, but I'm unaware of any competition.) OS X supports pluggable name services via netinfo (yuck) which work OK in my experience, though NFS was fugly at the time. Generally if you've got an environment that supports it, and you really need unified management[1] of your name services[2] I'd suggest using LDAP, openldap w/TLS provides significantly more security than NIS. [1] unified environments come at a high reliability cost, you've got to provide redundancy fallover services or your network can become unusable in the blink of an eye if something fails. I'd never consider using something like LDAP on a network with less than 5 machines, not for name services anyway. Small tasks can be handled well enough with rsync and ssh and some routine scripts. [2] note when I say name services, I'm not talking about DNS, though the facilities exist to incorporate that into a unified configuration. Personally I'd never use a unified environment for DNS management because doing so tends to create some annoying chicken-or-egg scenarios that newbie admins can easily trip over and cause a mess. I'm not fond of fragile services, which incidently is why I don't run BIND and why I think anyone who does is a fool. There are plenty of good replacements, djbdns, maradns (for those of you who tend and nurture your myopic little hatred of djb like its some kind of 100 year old bonsai), etc. And they don't crash every few days for no reason. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
Re: NIS(Client && Server) + Security
Citando Jamie Heilman <[EMAIL PROTECTED]>: > I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, > mail and SMB server and machine C is my WorkStation. My doubt is if > is secure to have a NIS client on machine A or simple re-direct my > connections to machine B? Unless there's something you've not told us there's no reason to have A provide your NIS service, so why even consider it? If you did put NIS on machine A, for whatever reason, you would need to ensure hosts external to your local network couldn't access the NIS service, which could be done using the usual packet filtering techniques. In general NIS should never be exposed to untrusted access because its far too vulnerable to attack. I say this assuming A, B, C are all on a single local network, if machine B is external to the network machine C is on, well then, its a different story, and perhaps NIS isn't the best tool for the job. (IMO, NIS is almost never the best tool in homogenous linux environments.) -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa One last thing: What links do you sugest to read about this matter (NIS) and what better tools exist for this kind of job? Thanks for everything. Ricardo Sousa __ O email preferido dos portugueses agora também é o Acesso Gratuito à Internet que dá prémios! Saiba mais: http://concurso.portugalmail.pt
Re: NIS(Client && Server) + Security
> One last thing: What links do you sugest to read about this matter (NIS) and > what better tools exist for this kind of job? I don't really have any links, I'm just going by what my experience has been. The NIS security issues are well known, I'm sure a google search will turn up scads of information. NIS is almost the only option though if you require on-the-fly user replication between multiple different kinds of unix hosts. None of the BSDs that I know of have implemented a flexible SYSV-like name service switch yet, (there was a FreeBSD guy who was promising to do it but last I heard there was no public code, I haven't looked at 5.0 yet though) which is pretty much required to start stitching things like LDAP directly to your libc routines. Glibc supports this so its a given for environments that use it. Solaris >= 2.7 supports it *I think* ... its been a while since I dealt with that. Padl software makes both NSS and PAM hooks for LDAP, freely available to the linux community. (Not the best security record sadly, but I'm unaware of any competition.) OS X supports pluggable name services via netinfo (yuck) which work OK in my experience, though NFS was fugly at the time. Generally if you've got an environment that supports it, and you really need unified management[1] of your name services[2] I'd suggest using LDAP, openldap w/TLS provides significantly more security than NIS. [1] unified environments come at a high reliability cost, you've got to provide redundancy fallover services or your network can become unusable in the blink of an eye if something fails. I'd never consider using something like LDAP on a network with less than 5 machines, not for name services anyway. Small tasks can be handled well enough with rsync and ssh and some routine scripts. [2] note when I say name services, I'm not talking about DNS, though the facilities exist to incorporate that into a unified configuration. Personally I'd never use a unified environment for DNS management because doing so tends to create some annoying chicken-or-egg scenarios that newbie admins can easily trip over and cause a mess. I'm not fond of fragile services, which incidently is why I don't run BIND and why I think anyone who does is a fool. There are plenty of good replacements, djbdns, maradns (for those of you who tend and nurture your myopic little hatred of djb like its some kind of 100 year old bonsai), etc. And they don't crash every few days for no reason. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS(Client && Server) + Security
Citando Jamie Heilman <[EMAIL PROTECTED]>: > I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, > mail and SMB server and machine C is my WorkStation. My doubt is if > is secure to have a NIS client on machine A or simple re-direct my > connections to machine B? Unless there's something you've not told us there's no reason to have A provide your NIS service, so why even consider it? If you did put NIS on machine A, for whatever reason, you would need to ensure hosts external to your local network couldn't access the NIS service, which could be done using the usual packet filtering techniques. In general NIS should never be exposed to untrusted access because its far too vulnerable to attack. I say this assuming A, B, C are all on a single local network, if machine B is external to the network machine C is on, well then, its a different story, and perhaps NIS isn't the best tool for the job. (IMO, NIS is almost never the best tool in homogenous linux environments.) -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa One last thing: What links do you sugest to read about this matter (NIS) and what better tools exist for this kind of job? Thanks for everything. Ricardo Sousa __ O email preferido dos portugueses agora também é o Acesso Gratuito à Internet que dá prémios! Saiba mais: http://concurso.portugalmail.pt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS(Client && Server) + Security
> I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, > mail and SMB server and machine C is my WorkStation. My doubt is if > is secure to have a NIS client on machine A or simple re-direct my > connections to machine B? Unless there's something you've not told us there's no reason to have A provide your NIS service, so why even consider it? If you did put NIS on machine A, for whatever reason, you would need to ensure hosts external to your local network couldn't access the NIS service, which could be done using the usual packet filtering techniques. In general NIS should never be exposed to untrusted access because its far too vulnerable to attack. I say this assuming A, B, C are all on a single local network, if machine B is external to the network machine C is on, well then, its a different story, and perhaps NIS isn't the best tool for the job. (IMO, NIS is almost never the best tool in homogenous linux environments.) -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
Re: NIS(Client && Server) + Security
> I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, > mail and SMB server and machine C is my WorkStation. My doubt is if > is secure to have a NIS client on machine A or simple re-direct my > connections to machine B? Unless there's something you've not told us there's no reason to have A provide your NIS service, so why even consider it? If you did put NIS on machine A, for whatever reason, you would need to ensure hosts external to your local network couldn't access the NIS service, which could be done using the usual packet filtering techniques. In general NIS should never be exposed to untrusted access because its far too vulnerable to attack. I say this assuming A, B, C are all on a single local network, if machine B is external to the network machine C is on, well then, its a different story, and perhaps NIS isn't the best tool for the job. (IMO, NIS is almost never the best tool in homogenous linux environments.) -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
NIS(Client && Server) + Security
Greetings. I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, mail and SMB server and machine C is my WorkStation. My doubt is if is secure to have a NIS client on machine A or simple re-direct my connections to machine B? I don't want to do the re-directions to machine C, because it won't be always on. Thank you. Ricardo Sousa __ Nem todos os sonhos são a preto e branco! Ganhe um Mazda MX-5 e mais 8575 prémios. Saiba mais: http://concurso.portugalmail.pt
NIS(Client && Server) + Security
Greetings. I have 3 machines, A, B and C. Machine A is my gateway,B my NIS, mail and SMB server and machine C is my WorkStation. My doubt is if is secure to have a NIS client on machine A or simple re-direct my connections to machine B? I don't want to do the re-directions to machine C, because it won't be always on. Thank you. Ricardo Sousa __ Nem todos os sonhos são a preto e branco! Ganhe um Mazda MX-5 e mais 8575 prémios. Saiba mais: http://concurso.portugalmail.pt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS
On Tue, 29 Oct 2002, Francois Sauterey wrote: > HI, > > I'm looking for any craft to secure YP: > > I'm working around shadow password and yp. > > shadow passwords are stupid if "ypcat passwd" give the encripted passwords ! > Well, I use (in /etc/ypserv): > * : passwd.byname: port : yes > * : passwd.byuid : port : yes > > passwd are mangled , but the ftp server, on a YP-client machine, do not > recognize any user. > > Any solution ? > If You are using ProFTPd, then using : "PersistentPasswdoff" in your /etc/proftpd.conf would do the trick -Daniel Lysfjord-
NIS
HI, I'm looking for any craft to secure YP: I'm working around shadow password and yp. shadow passwords are stupid if "ypcat passwd" give the encripted passwords ! Well, I use (in /etc/ypserv): * : passwd.byname: port : yes * : passwd.byuid : port : yes passwd are mangled , but the ftp server, on a YP-client machine, do not recognize any user. Any solution ? Francois -- "Quelle Connerie la guerre" (J. Prevert) Francois Sauterey Tel: +33 01 40 33 68 46 mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: NIS
On Tue, 29 Oct 2002, Francois Sauterey wrote: > HI, > > I'm looking for any craft to secure YP: > > I'm working around shadow password and yp. > > shadow passwords are stupid if "ypcat passwd" give the encripted passwords ! > Well, I use (in /etc/ypserv): > * : passwd.byname: port : yes > * : passwd.byuid : port : yes > > passwd are mangled , but the ftp server, on a YP-client machine, do not > recognize any user. > > Any solution ? > If You are using ProFTPd, then using : "PersistentPasswdoff" in your /etc/proftpd.conf would do the trick -Daniel Lysfjord- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
NIS
HI, I'm looking for any craft to secure YP: I'm working around shadow password and yp. shadow passwords are stupid if "ypcat passwd" give the encripted passwords ! Well, I use (in /etc/ypserv): * : passwd.byname: port : yes * : passwd.byuid : port : yes passwd are mangled , but the ftp server, on a YP-client machine, do not recognize any user. Any solution ? Francois -- "Quelle Connerie la guerre" (J. Prevert) Francois Sauterey Tel: +33 01 40 33 68 46 mailto:Francois@;sauterey.org mailto:Francois.Sauterey@;ras.eu.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS et propagation de groupes
Il faut voir /var/yp/Makefile, les variables MINUID, MINGID. Marcos > From: Sebastien Picard <[EMAIL PROTECTED]> > Date: Thursday, 20 June 2002 09:28:11 +0200 --> Bonjour à tous, --> --> J'utilise NIS 3.9-6 sur une woody (noyau 2.4.18). --> --> J'aimerait savoir comment faire pour que les gid < 1000 soient --> propagés et non pas ceux > 1000. --> --> Le problème est survenu suite à une mise à jour avec passage de --> patate à woody. --> --> Merci d'avance à celui ou ceux qui me répondront. --> --> Bonne fin de journée. --> --> :-) --> --> -- --> - \\\|/// --> \\ - - // --> ( @ @ ) -->-oOOo-(_)-oOOo- --> | | --> |Sebastien Picard | --> | Assistant Ingenieur | --> | de | --> | Recherche et Formation| --> |Departement Informatique | --> |IUT Belfort-Montbeliard| --> | [EMAIL PROTECTED] | --> |03.84.58.77.79 | -->--- --> --> --> --> -- --> To UNSUBSCRIBE, email to [EMAIL PROTECTED] --> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -->
Re: [translation] NIS and propagation of groups
Thanks and excuse me for using french Chris Boyle wrote: This should probably have gone to the lists and the poster, not me.On Thu, 2002-06-20 at 15:02, Bertrand Orvoine wrote: see in /var/yp/Makefile :# We do not put password entries with lower UIDs (the root and system# entries) in the NIS password database, for security. MINUID is the# lowest uid that will be included in the password maps.# MINGID is the lowest gid that will be included in the group maps.MINUID=1000MINGID=1000it was 100 in potato. -- - \\\|/// \\ - - // ( @ @ ) -oOOo-(_)-oOOo- | | |Sebastien Picard | | Assistant Ingenieur | | de | | Recherche et Formation| |Departement Informatique | |IUT Belfort-Montbeliard| | [EMAIL PROTECTED] | |03.84.58.77.79 | ---
Re: [translation] NIS and propagation of groups
This should probably have gone to the lists and the poster, not me. On Thu, 2002-06-20 at 15:02, Bertrand Orvoine wrote: > see in /var/yp/Makefile : > > # We do not put password entries with lower UIDs (the root and system > # entries) in the NIS password database, for security. MINUID is the > # lowest uid that will be included in the password maps. > # MINGID is the lowest gid that will be included in the group maps. > MINUID=1000 > MINGID=1000 > > > it was 100 in potato. -- Chris Boyle - Debian Developer - aewm++, sapphire, xmmsarts GPG: B7D86E0F, MSN: [EMAIL PROTECTED], ICQ: 24151961, AIM: kerneloops, Yahoo: kerneloops, IRC: cmb on openprojects.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[translation] NIS and propagation of groups
On Thu, 2002-06-20 at 08:28, Sebastien Picard wrote: > Hi all, > > I'm using NIS 3.9-6 on woody (kernel 2.4.18). > > I'd like to know how to make the gids < 1000 propagate, and not those > > 1000. > > The problem appeared after an update with an upgrade from potato to > woody. > > Thank you in advance to any and all who reply. > > Have a nice evening > > :-) -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/~chrisb/ GPG: B7D86E0F, MSN: [EMAIL PROTECTED], ICQ: 24151961, AIM: kerneloops, Yahoo: kerneloops, IRC: cmb on openprojects.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NIS et propagation de groupes
Hallo! Sprich Englisch, Mann! On Thursday, 2002-06-20 at 09:28:11 +0200, Sebastien Picard wrote: > Bonjour à tous, > > J'utilise NIS 3.9-6 sur une woody (noyau 2.4.18). > > J'aimerait savoir comment faire pour que les gid < 1000 soient > propagés et non pas ceux > 1000. > > Le problème est survenu suite à une mise à jour avec passage de > patate à woody. > > Merci d'avance à celui ou ceux qui me répondront. > > Bonne fin de journée. > > :-) > > -- > - \\\|/// >\\ - - // > ( @ @ ) > -oOOo-(_)-oOOo- > | | > |Sebastien Picard | > | Assistant Ingenieur | > | de | > | Recherche et Formation| > |Departement Informatique | > |IUT Belfort-Montbeliard| > | [EMAIL PROTECTED] | > |03.84.58.77.79 | > --- > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] --- Also sprach Sebastien Picard --- And a shorter signature would also be appreciated. Thank you, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
NIS et propagation de groupes
Bonjour à tous, J'utilise NIS 3.9-6 sur une woody (noyau 2.4.18). J'aimerait savoir comment faire pour que les gid < 1000 soient propagés et non pas ceux > 1000. Le problème est survenu suite à une mise à jour avec passage de patate à woody. Merci d'avance à celui ou ceux qui me répondront. Bonne fin de journée. :-) -- - \\\|/// \\ - - // ( @ @ ) -oOOo-(_)-oOOo- | | |Sebastien Picard | | Assistant Ingenieur | | de | | Recherche et Formation| |Departement Informatique | |IUT Belfort-Montbeliard| | [EMAIL PROTECTED] | |03.84.58.77.79 | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]