On 12/6/20 8:17 AM, Nicolas Kovacs wrote:
The main problem with NIS is that logins and passwords circulate in clear-text over the network.
That's not quite it. Passwords aren't sent over the network at all when a service or system processes a password in a NIS environment. Under NIS, member systems request password hashes (usually the "shadow" YP map) over a plain-text channel. But that's probably lower risk than the fact that the NIS server will hand those hashes out to anyone who can physically (or virtually, often) connect a system of their own to the networks that the NIS server trusts. The issue of plain-text transmission over the network is a security risk if the attacker controls the network and can examine network traffic. But that's usually harder to achieve than simply connecting a system of your own and requesting the data. So, the risk is simply that password hashes are published.
On the other hand, we should not that NIS can be used for user information in combination with a separate system for user authentication, such as Kerberos, and that configuration doesn't suffer most of the security risks of an all-NIS network.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos