Setting Up NIS On CentOS 8

Home » CentOS » Setting Up NIS On CentOS 8
CentOS 5 Comments

Hey Y’all,

I found this:

https://www.server-world.info/en/note?os=CentOS_8&p=nis&f=1

I’ve been told in the past that NIS should not be used because of some supposed security issues.

Can someone site any authoritative documentation concerning the security issues extant in NIS?

My plan is to set up NIS and NFS on my home network server where I plan to host all the local home network /home directories. I’ll use automount on all the other nodes to mount up the home directories when a user logs on.


_
°v°
/(_)\
^ ^
Mark LaPierre
****

5 thoughts on - Setting Up NIS On CentOS 8

  • Le 06/12/2020 à 16:35, Mark LaPierre a écrit :

    The main problem with NIS is that logins and passwords circulate in clear-text over the network.

    I’ve written a detailed blog article about NIS on CentOS 7. Should work similarly on CentOS 8, since NIS didn’t really evolve since:

    https://blog.microlinux.fr/serveur-nis-CentOS-7/

    A secure alternative that’s not much more difficult to setup is 389 Directory Server:

    https://blog.microlinux.fr/389-ds-CentOS-7/

    This one works differently on CentOS 8 though.

    Cheers,

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32
    Mob. : 06 51 80 12 12

  • There’s a lot of documentation out there. Basically YP/NIS transmits everything over the network in plain text, including password hashes. combined with no authentication/authorisation mechanism, out of the box NIS will give your password hashes to anyone who asks for them. Clearly once a username/password hash has been discovered, it’s only a matter of time before a password is found.

    NIS+ is very different in that it is much more security aware, but consequently much more complex.

    If you have a fully private network, then the security issues are not so bad. It still has its place in things like clusters, but even then it is being superseded by LDAP. If you are setting up a system from scratch, then you really should be looking at using LDAP, it’s not that difficult and there are plenty of tools around to help you manage it all.

    P.

  • That’s not quite it.  Passwords aren’t sent over the network at all when a service or system processes a password in a NIS environment.  Under NIS, member systems request password hashes (usually the “shadow” YP
    map) over a plain-text channel.  But that’s probably lower risk than the fact that the NIS server will hand those hashes out to anyone who can physically (or virtually, often) connect a system of their own to the networks that the NIS server trusts.  The issue of plain-text transmission over the network is a security risk if the attacker controls the network and can examine network traffic.  But that’s usually harder to achieve than simply connecting a system of your own and requesting the data.  So, the risk is simply that password hashes are published.

    On the other hand, we should not that NIS can be used for user information in combination with a separate system for user authentication, such as Kerberos, and that configuration doesn’t suffer most of the security risks of an all-NIS network.

  • Okay, say I decide to go with LDAP and NFS. I’ll be needing some hand holding to get it set up. Are you willing to walk me through this?

    I tried to set up 389 a while ago but ran into the nobody/nobody problem on the client computer that I could not solve. No help arrived then. I
    don’t want a repeat of that.


    _
    °v°
    /(_)\
    ^ ^
    Mark LaPierre
    ****

  • If you don’t have a very good reason to do choose something else, then use FreeIPA for your LDAP/Kerberos service.  It’s very streamlined.