>>> Gatorboxes are shipped without a user password set. [...] >>> The user account can't change anything, but [...] [f]or example, if >>> you have the GatorShare software running using NIS authentication, >>> it will freely tell you what the NIS domainname is. > What's wrong with knowing one's NIS domainname? One's own domainname, nothing. But someone else knowing your domainname gives that someone a significant edge when it comes to breaking in to your machines. >> Maybe a good reason to join the crowd and not run NIS? > I keep hearing people say this about NIS. Deservedly, IMO. > However, when one is running a lot of systems (including PC-NFS > clients) it is fantastically easy to [adminster] Yes, it is. It's also a sieve in many respects when it comes to security. Lots of easy-to-administer setups are. > For the moment, I have a client running NIS (not this one) and I have > their router set up to not pass RPC services from the net (to the > port for SunRPC). So far, this seems to be OK. You (or they) are lucky, so far. > Are there problems with this? Yes. Blocking port 111 is not enough; it is far too easy to just fire NIS requests at every port number in the appropriate range - there are only a few thousand of them. If you're running a mostly stock setup, one can almost predict the port NIS will use a priori. Unfortunately there's not much to be done about it, unless you're willing to replace your yp daemons. > Is there a "better" NIS [...] I'd be interested in hearing about any such. I'm almost ready to try my hand at writing one myself, but so far the perceived need has not yet been sufficient to make me allocate the time. der Mouse mouse@collatz.mcrcim.mcgill.edu