Dear Managers,
As usual I got a wealth of useful information! Thanks to all who
responded, including John Venier, Ken Kleiner, Lucio Chiappetti,
Shaukat Riaz, John Ferlan, Kenneth Atchinson, sysadmin (from Sweden),
Richard Westlake, Ian Mortimer, Robert Mulley, Jay Nash, Ryan
McConigley, Jesper Nemholt and Anthony Talltree (apologies if I have
missed anyone out).
I haven't decided quite how to approach my problem. I think I'll
probably avoid NIS, but whether to cook my own solution using rdist/ssh
or to try the Tru64 SSO Kit (or even a combination) I'll need a bit
more time to work out.
A summary of the responses follows: (my original question is at the end)
NIS+ is only available for Solaris, and might well be on the way out
even there.
NIS has all kinds of negative implications, most of which revolve
around not being able to use shadow passwords, and username/password
hashes being sent in clear across the local network. The tendancy of
NIS clients to trust any old NIS server they see, and NIS servers to
accept updates from other rogue servers can be limited by careful
configuration. The standard portmapper was also fingered by one
respondent, who recommended Wietse Venema's replacement (from
porcupine.org).
Alternatives suggested were Samba, rdist over ssh, kerberos or LDAP, or
even: "The future is LDAP. LDAP+Kerberos+TLS/SSL and maybe SASL
combined" ... and "Another solution is the Single Sign-On kit (SSO)
which is a combined kit that adds LDAP+Kerberos+SSL/TLS support to
Tru64 v5.x and then a small Active Directory add-on to Windows 2000
that allow one to administrate Tru64 users from a Windows 2000 Active
Directory domain."
My favourite answer was: "Be afraid. Be very afraid. YP is evil.
Think about using rdist over ssh instead, though I don't know if the
Irix and RH formats are directly compatible."
Useful resources cited were:
NIS+:
http://docs.sun.com
Various security and interoperability issues under Tru64 including LDAP
(via Internet Express Kit) and single-sign-on with Windows:
http://www.tru64unix.compaq.com/unix/security-internet.html
The O'Reilly NFS and NIS book:
http://www.oreilly.com/catalog/nfs2/
The Tru64 Best-practice giudes:
http://www.tru64unix.compaq.com/docs/best_practices
"Two of the IBM red-book series are also good for LDAP ideas."
My original question:
> Dear Managers,
>
> I'd like to coordinate the user/password databases of my
> mixed-architecture network (Tru64, IRIX, RedHat Linux), so I am
> considering NIS or NIS+
>
> However, I remember reading dire warnings about the lack of security of
> NIS, so I am trying to do some background research before going ahead.
>
> The Tru64 docs (that I have found so far) just explain how to get it up
> and running, but don't really mention security issues.
>
> The Linuxdoc NIS-HOWTO also explains how to get NIS or NIS+ running in
> a mixed environment, but again, doesn't discuss security.
>
> Can anyone point me to any basic documentation of the security aspects
> of NIS/NIS+? Do any of you have any opinions/suggestions about how I
> should go about setting up distributed user/authentication databases?
> (I'll bet some of you do!)
>
> Finally, assuming that this is all trivial (!) do any of you have any
> suggestions for coordinating user/authentication between Tru64 (or any
> other flavour of Unix) and a Windows2000 domain?
Andrew
--
Dr. Andrew Raine, Head of IT, MRC Dunn Human Nutrition Unit,
Wellcome Trust/MRC Building, Hills Road, Cambridge, CB2 2XY, UK
phone: +44 (0)1223 252830 fax: +44 (0)1223 252835
web: www.mrc-dunn.cam.ac.uk email: Andrew.Raine_at_mrc-dunn.cam.ac.uk
Received on Tue Mar 26 2002 - 14:42:22 NZST