SUMMARY: NIS security

From: George Dimitoglou (
Date: Tue Nov 30 1999 - 08:21:03 CST

Fellow managers:
This is a delayed summary, since I was expecting a few more responses
but not much on this one.

The bottom line for me is that there are security holes in NIS and depending
on how paranoid one is, should select accordingly between NIS and
NIS+. I still feel that NIS+ is an overkill for small environments but
unfortunately we live in a dangerous world.

I am grateful for the thoughtful responses to the following three managers:
        Birger Wathne
        Jochen Bern

>From Wed Nov 10 07:36:26 1999
        With NIS you get the encrypted passwords in a publicly readable NIS
        map, so you loose the security you got with /etc/shadow where the
        passwords were not readable by ordinary users. With NIS any user can
        ypcat passwd and save the output to file. And then run crack....
        Besides, if you don't have a properly set up firewall, then anyone on
        the net who can guess your NIS domain name can connect to your NIS
        servers and fetch the maps...
        With NIS+ it depends on the authentication level. If it runs at the
        lowest level (or NIS compatibility mode) security is no better than
        with NIS. In a pure NIS+ environment you have access bits on each
        table, row column and cell. So the encrypted passwd field in the passwd
        map will only be readable to admin users and the user who owns the
        password. Ordinary users will not see other users encrypted
        passwords. The NIS+ servers also requires that the client machines
        authenticate themselves before they can do NIS+ lookups.

>From Thu Nov 11 02:29:13 1999
        The key point you are missing here is not the existence of shadow or
        otherwise, it is that NIS does all transfers plain text over the wire.
         Now on your average host the fact that UNIX uses relatively weak
        password encryption algorithm's is compensated for /etc/shadow, only
        root can read this field and hence the encrypted passwords. With NIS
        you can type ypcat passwd and you get the whole thing, now unless NIS
        is rebuilt with some kind of encryption, then it does not matter if
        you put the passwords in shadow or not because I could just type ypcat
        shadow and I got them. So to make this secure you need to encrypt the
        NIS exchanges, well guess what NIS+ is, plus some sensible performance
        enhancements as NIS does not scale well.

From: Jochen Bern <>
> -When running NIS (not NIS+) password info is transfered between master-slave
> but the transfers move around scrambled passwords (shadow passwords) correct?
> - What vulnerabilities is exactly NIS open to? By reading the docs NIS+
> is more secure, but to what type of attacks?
        Off the top of my head: Cracking passwords (noone ever proved the
        encryption to be a strong one ...); Leeching information from
        offsite ("fixed" by /var/yp/securenets in NIS, *if* you remember
        to maintain it); Server imposters (the Texas Agriculture something-
        orother U, aka TAMU, had an incident where someone pirated a fast
        machine and used it to reply to NIS "ypmatch someuserid passwd"
        style requests *before* the actual NIS server, with a reply that
        made the clients think it's a valid UId-0 account; since the request
        type of a "ypcat passwd" is different, there was no trace of this to
        be seen unless you *knew* the bogus userid, or found bogus processes/
        logins red-handed; fighting this incident resulted, among other
        things, in the packetman software).


     Dear Managers,
     I have been looking in the archives and docs for NIS vs NIS+
     comparisons but didnt find one one addressing the follwoing specific
     -When running NIS (not NIS+) password info is transfered between
    master-slave but the transfers move around scrambled passwords (shadow
    passwords) correct?
     - What vulnerabilities is exactly NIS open to? By reading the docs
    NIS+ is more secure, but to what type of attacks?

George Dimitoglou
SM&A, Space Sciences Division

SOHO ESA/NASA Project Scientist Team
Laboratory of Astronomy & Solar Physics
NASA Goddard Space Flight Center
Bldg. 26, G-1, Code 682.3
Greenbelt, MD 20771

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:33 CDT