SUMMARY: security of MP maps

From: Rebecca A. Littleton (ral@cerc.wvu.wvnet.edu)
Date: Fri Mar 20 1992 - 04:23:35 CST


Thanks to everyone who responded so promptly to my question, which
follows:
        How can one prevent the YP domain maps from being captured
        by anyone on the net with the command:
                ypcat -d domain_name map_name
Responses were all similar: "Without hacking up the source to
ypserv, you can't prevent it". Here are some of the responses.
Thanks to all who responded; you're names are included at the
end of this message. THANKS! Rebecca Littleton

********************************************************************
stern@sunne.East.Sun.COM Hal Stern - NE Area Systems Engineer
(a) if you're bound to the server, you can get the maps.
        this is basically how NIS works -- if you can match
        one entry, you can ypcat them all. turn this off
        and the service stops working
(b) if you're in another domain, or on another net, then you
        need to prevent someone from gaining access to your
        NIS server. don't make your router/gateway an NIS
        server, and turn off IP forwarding on the router/gateway.
(c) run NIS+ (in 5.0) :-)
********************************************************************
brossard@sasun1.epfl.ch Alain Brossard
        If you have sun sources, I can provide you with the
necessary patches. If you don't have sources, you can
        1- wait for Sun to come out with a patch, but they have
        been testing it for a couple of months now...
        2- Use the patch (old) I put on litsun.epfl.ch
        3- Wait until I get around to publishing my new patches
           (probably a couple of days).
********************************************************************
fetrow@biostat.washington.edu David Fetrow
 Aside from going to SunOS 5.0? I don't know....but you make it harder. For
example; Biostats YP map is not called "biostat" but something more like:
"akil8899u".
********************************************************************
mbl900@anusf.anu.edu.au Mathew BM LIM
ypcat is not so much of a problem since it does a broadcast to find
the server for the indicated domain, so only people in your local
net can use this technique to steal your maps. ypxfr is the one you
have to worry about since it's usage is :
        ypxfr -d domain_name -h host_name map_name
it does a direct connection to the indicated server. So the attacker has to
1) know your server's hostname
2) know your YP domain name
As far as I can tell, there is currently no way to stop this (if there
is we would all like to know). The only helpful advice I can give you
is, treat you YP domaina name like a password, use hard to guess names
and never tell anyone about it. This is hard if the attacker already
has an account on your machines as they can then just run domainname
to get it, then if they already have an account, they could just copy
your password file anyway.
********************************************************************

stern@sunne.East.Sun.COM Hal Stern - NE Area Systems Engineer
trinkle@cs.purdue.edu Daniel Trinkle
tgsmith@spdev.East.Sun.COM Timothy G. Smith - Special Projects
brossard@sasun1.epfl.ch Alain Brossard
fetrow@biostat.washington.edu David Fetrow
mbl900@anusf.anu.edu.au Mathew BM LIM



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:39 CDT