Re: Replacement for NIS? (was Re: Obtaining NIS domainname from

Jon Peatfield (J.S.Peatfield@damtp.cam.ac.uk)
Sat, 15 Apr 1995 16:35:13 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrew Macpherson: "Re: NIS"
Previous message: John C. Orthoefer: "Re: Pointer to a process's credential structure?"
Next in thread: Andreas Siegert: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from"

> One's own domainname, nothing.  But someone else knowing your
> domainname gives that someone a significant edge when it comes to
> breaking in to your machines.

Given the more recent versions of ypserv I don't see any major security 
problems left with YP.  i.e the patches which Sun (at least, and maybe HP if 
you believe their docs) produced which tells a ypserv and portmapper which 
machines they should talk to.

Back before these patches one could extract yp maps from a random domain using 
ypxfer, or hand written code but this no longer works with the newer code.

If there are other security hole left please enlighten me.

> > Is there a "better" NIS [...]
> 
> I'd be interested in hearing about any such.  I'm almost ready to try
> my hand at writing one myself, but so far the perceived need has not
> yet been sufficient to make me allocate the time.

A good starting point might be the 386/BSD, Linux YP implementation.  Since 
the source is available you can add whatever security measures you like to it. 
 I'm not sure if their ypserv/ypbind are drop-in replacements for the ONC 
versions, (e.g. if the file formatt etc are the same), but it shouldn't be too 
hard to check.

  -- Jon Peatfield  (DAMTP, unix network admin)

Next message: Andrew Macpherson: "Re: NIS"
Previous message: John C. Orthoefer: "Re: Pointer to a process's credential structure?"
Next in thread: Andreas Siegert: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from"