Granted, we don't get a lot of NIS questions here, but still. Out of the box, NIS has some inherent (potential) security issues. I felt like trying to start a discussion, identifying what the (potential) security threats are and figuring out how to mitigate them.
I can think of the following three threats myself:
Any additions, suggestions, solutions, corrections etc. are welcome.
I can think of the following three threats myself:
- Users can obtain a list of usernames and the accompanying password hashes, which they can feed to a password cracker, thus obtaining other users' passwords.
- Any host on the Internet can connect to your NIS server(s) and obtain the same.
- NIS traffic is unencrypted. If I'm not mistaken NIS is not stupid enough to transmit passwords in the clear, but still the password hashes can be intercepted.
- This I think is a thing of the past. Sure, back in the late '90s and early '00s I used to do this regularly at the university. I just did
ypcat passwd
, took the result home, fired up John the Ripper and let it run overnight and/or while I was away. This would usually reveal at least 5 or 10 users with lame passwords. Obviously, I always mailed the results to the head sysadmin who would then break out the LART However, FreeBSD's implementation of NIS can be configured to not export the master.passwd map. In fact, this is default behaviour.ypcat passwd
works fine but returns the passwd map, which has the passwords starred out.ypcat master.passwd
only works for root, mortal users simply get an error message. - This sounds like nothing a good firewall/router setup can't fix. Just make sure any NIS servers are only accessible from the local network. NIS also has access control (/var/yp/securenets), but I'm not sure whether this is vulnerable to spoofing. It may not offer as much security as one would think.
- This does sound like a potentially big problem. Has anyone ever tried to fiddle with some kind of encryption layer (e.g. SSH tunnelling) around NIS?
Any additions, suggestions, solutions, corrections etc. are welcome.