Log in

No account? Create an account

NIS insecurity

« previous entry | next entry »
May. 22nd, 2003 | 10:50 pm

I'd heard that NIS was insecure, so I decided to see what I could do. (for those that don't know NIS is a common method of distributing login information to Unix clusters). And after this experiment, I'm trying to figure out how to use LDAP protected by TLS for my servers.

I tested hacking NIS from my laptop
$ sudo apt-get install nis
$ sudo vi yp.conf
add "ypdomain" (AKA the NIS server's IP Address)
$ sudo vi defaultdomain
add "nisdomain"
(I knew I had limited access to the NIS server to just the subnet, so I made sure to be on the same network)
$ sudo ypbind -d
parsing config file
Trying entry: ypserver
parsed ypserver
add_server() domain: nisdomain, host:, nobroadcast, slot: 0
[Welcome to ypbind-mt, version 1.8]

ping host '', domain 'nisdomain'
Answer for domain 'nisdomain' from server ''
Pinging all active server.

$ ypmatch diane shadow
Can't match key diane in map shadow. Reason: No such map in server's domain
$ ypmatch diane passwd.byname
diane:x:1000:1000:Diane Trout:/home/diane:/bin/bash
$ sudo ypmatch diane shadow.byname

Needless to say, the crypted password is a bogus string and the domain name and IP addresses have been changed to protect the innocent.

Though one coworker did suggest a solution, explicitly put the IP addresses of all the machines that should have access in the ypserv.securenets file.

That did work, though if an "evildoer" can steal one of my IP addresses they can still get the crypted passwords.

Link | Leave a comment |

Comments {0}