How Insecure Is NIS ? Possible Alternatives ?

Home » CentOS » How Insecure Is NIS ? Possible Alternatives ?
CentOS 18 Comments

Hi,

In the past I’ve setup simple centralized authentication with NIS and NFS, without bothering about possible security implications.

Over the next month I have to setup a new network in a local school, and I wonder if I should use NIS/NFS. I still have my own documentation, it’s simple and somewhat bone-headed to setup, and it just works.

RHEL/CentOS 7 still provide NIS, and I vaguely wonder how exactly it is insecure. So I thought I’d simply ask on this list.

I know there’s FreeIPA available. I gave it a spin some time ago on a local machine, but I think it’s a bit overkill.

Anyone here who uses central authentication (CentOS server + CentOS
clients) ? Any suggestions ?

Cheers,

Niki

Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

18 thoughts on - How Insecure Is NIS ? Possible Alternatives ?

  • In my opionion, there is a serious gap in this area. It’s either NIS, simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management server at a complexity at least one order of magnitude beyond NIS.

    There’s also the option of using AD if such infrastructure exists. RH ID management has been completely dismissed by colleagues who know both it and AD, and favour the latter.

  • Hi, as you why it is insecure the biggest reason is that it is trivial for a user to get sensitive information about other users. Particularly things like password hashes, and with the compute power available today cracking a hash is not impractical. It also discourages some of the more standard practices today like user private groups.

    It would still take a fair amount of work but if you want something a little less than FreeIPA or integrating with AD look into http://directory.fedoraproject.org/

    CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS

  • Am 2018-03-26 10:28, schrieb isdtor:

    The issue is that the problem itself isn’t simple to begin with.

    And so, the solutions have become quite complicated. Windows makes it all work quite nicely, apparently – but it works best with Windows.

    I recently came across this article:

    https://fy.blackhats.net.au/blog/html/2017/05/23/kerberos_why_the_world_moved_on.html

    In W10/Server 2016, MSFT has added even more security to Kerberos to address the issues glanced at the above article. Don’t have a link for those, it was an article on paper.

    Not sure if RedHat is ever going to implement those.

    I’ve got the same problem. We should unify authentication to our servers. The problem is that we, being an MSP, operate what I call a very “balkanized” environment. For security-concerns, it was traditionally frowned upon to have a single authentication service. So each customer is on its own network and users are local.

    I’m still looking into RedHat IPA – specifically for its ssh-key management and sudoers-file management capabilities – but I’m also considering running an internal CA and using certificates to authenticate (I’ll have to read-up on this). This is AFAIK the way people like Facebook or Netflix run their shops.

    Usually, if you’re not Google, Amazon, Facebook or Netflix, it’s also not a good idea to try to copy their “patterns” – but this might be an exception.

  • Am 2018-03-26 10:46, schrieb Clint Dilks:

    You don’t even need to crack them yourself. If you have the hashes, you can just use rainbow-tables available online, sometimes for a small fee.

    Still relying on NIS is barely different from not having a password at all and just using a login. In both cases, you have to trust your users – it’s no different.

  • Le 26/03/2018 à 10:28, isdtor a écrit :

    I gave FreeIPA a spin a while back. I installed it on a sandbox server, and from what I recall, it pulled in a tsunami of dependencies, and first thing it wanted to replace my Dnsmasq with BIND… so I didn’t look much further.


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • Quite time ago we had a stripped setup here working only with openLDAP and PAM modules. LDAP with replication for redundancy, centralized communication with local CA and over TLS. It worked very well. The successor of such setup is SSSD for EL7 but the above should be still a feasible solution.


    LF

  • I also looked into FreeIPA and the complexity is significant, at the time FreeIPA’s DNS integration seemed to rely on a Fedora patch and I wasn’t willing to introduce that into a production environment. Does anyone know if this has changed? Also, concerning alternatives, does anyone have experience with Shibboleth or OmniAuth?

    —–Original Message—

  • FreeIPA should be installed on its own server or VM, in which case its dependencies and what it replaces shouldn’t be a cause for concern.  You can still run dnsmasq on a different host.  Use FreeIPA’s DNS for the internal, private domain only.

    FreeIPA takes all of one command to install, and one to set up. It provides a web UI for both administrative and end-user management of users, passwords, login and sudo policy, etc. Anything you find overly complex can simply be unused.

  • FreeIPA is easy to set up, but it is quite a complex beast under the hood. I’ve had some nasty debugging sessions with it before when things like Kerberos trust relationships failed.

  • In my case, somehow Bind lost the required kerberos tokens to be able to talk to the LDAP server on the same host, so DNS didn’t work, so it couldn’t attempt to refresh the token. Never worked out what the root cause was, but I do remember it being quite fun to get it working again…

  • Likely an even longer time ago, I did an even more stripped down version of this, where I just set up an openLDAP server, used their tools to import from our existing NIS to it, and ran it unencrypted (all the hosts were either on the same switch or over VPN so having no encryption on the network channel was less of a concern). It was fairly straightforward, and I imagine that nowadays, setting up TLS for slapd and clients is probably fairly straightforward too.

    I wonder how much support there is for NIS any more in recent distros. Is it possible CentOS 7 doesn’t support NIS, or does but is buggy?

    –keith

  • Hi!

    Am 29.03.2018 um 09:38 schrieb Nicolas Kovacs:

    We are using the openLDAP + pam_ldap / sssd solution in several smaller networks (up to ~40 Linux clients), but I think it should scale well for larger networks, too.

    The openLDAP solution can also support Samba as domain controller, if you have to support windows clients, too.

    – From that point on we usually integrate other services like an IMAP server (we use Cyrus IMAP), groupware server (we use SOGo)
    and many other services which suport LDAP authentication. You can apply LDAP password policies, too.

    We use GOSa (or it’s successor FusionDirectory, see https://www.fusiondirectory.org/)
    as web frontend, so the users can change their passwords, mail settings etc. on their own (if they are given the rights to do so)

    With all that you get a nice, easy to manage, well integrated and secure network with a central authentication service all with open source software!

    It should run with almost all modern linux distributions, even mixed together in the same network.

    HTH

    – – andreas

    – —
    Andreas Haumer | mailto:andreas@xss.co.at
    *x Software + Systeme | http://www.xss.co.at/
    Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0
    A-1100 Vienna, Austria | Fax: +43-1-6060114-71
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v2.0.22 (GNU/Linux)

    iD8DBQFavJxYxJmyeGcXPhERAokrAKC1czb7l/AWaLZSDJ4g+VlIBN0IIQCgm7Iv p5hn8aLp32GA4mJ49RXqp8A=
    =s0/Q
    —–END PGP SIGNATURE—–

  • Le 29/03/2018 à 06:44, Keith Keller a écrit :

    I fiddled around with it for a few days, and I can say that NIS is still perfectly supported under CentOS 7.

    https://blog.microlinux.fr/serveur-nis-CentOS/

    https://blog.microlinux.fr/client-nis-CentOS/

    Cheers,

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32