SUMMARY: Readdressing a NIS+ root master server

From: Jim Stern (jstern@world.northgrum.com)
Date: Wed Jan 08 1997 - 17:48:57 CST


I asked whether it was possible to readdress a NIS+ root master
server without invalidating the NIS+ user credentials.

For those unfamiliar with NIS+ (and in this case, ignorance really
is bliss :-}), it contains security features to prevent packet
spoofing and other mischief. In particular, various network
messages are encrypted with keys that in turn depend on the server's
IP address. Change the IP address, invalidate the keys.

Alan K. K. Kong (kkkong@ee.cuhk.edu.hk) said the procedure in Sun's
NIS+ Tip Sheet worked for him. Asim Zuberi (asim@psa.pencom.com)
was also hopeful.

Not Kevin Davidson (tkld@cogsci.ed.ac.uk, though. All his users
had to issue "nisclient -u" the first time they logged in after
the address change. But he had a clever idea:

> 1) Attach the ethernet card to your server and put that on its new
> network.
> 2) boot -rs
> 3) arrange for /etc/hostname.le1 to have the server's name and alter
> /etc/hosts (and hosts table) for new IP address. /etc/hostname.le0 > should contain a name that resolves to the `old' IP address.
> 4) init 6
> 5) nisupdkeys -a
> 6) mv /etc/hostname.le1 /etc/hostname.le0
> 7) init 0
> 8) remove ethernet card
> 9) boot

The catch: He said it "may" work, so apparently it's untested.

Brian Davies (daviesb-cos3@kaman.com) was also pessimistic.
When he readdressed his server, he changed all user passwords to a
known value and used "nisclient -co username" to recreate the
credentials. He added "nispasswd -f username" to force the users
to change their passwords immediately.

Finally, one user answered:

> Illicitly collect your user's passwords. Probably not the answer
> you're looking for.

I would give his name but perhaps he doesn't want his customers
to know. :-)

I asked my question because we were having problems with the server's
subnet. Now it appears we will get a resolution. If so, I may
never have to readdress the server and thus may never gain any
practical experience in the process. If not, I will try to remember
to post a report from the trenches.

-- 
Jim Stern -- Views here are my own, not Northrop Grumman's.   (El
Segundo, CA)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:42 CDT