Re: NIS failover

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@xxxxxxxxx wrote:
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

NIS+ is a dead product.  Even Sun gave up pushing it.  (Funny; in 1995 the
Solaris training courses barely mentioned NIS and had 2 or 3 chapters on
NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+
at all, and had 2 or 3 chapters on LDAP).  Don't migrate to NIS+.

> directory server (which I've never worked with), or openLDAP (which is,
> IMO, NOT ready for prime time, but is built for security.

The problem with LDAP is that it's a lot slower than NIS, and nscd
is essential in order to get even minimally adequate performance.
Unfortunately.  I say "unfortunately" because in many respects LDAP is
superior to NIS (especially with respect to security).  Just not needing
crypt strings is a big win.  I use it at work, but very carefully :-)

NIS is insecure, but it has a massive advantage of being fast and
(normally) "just works".  Evaluate the security in your environment and
determine if the risk is acceptable.

-- 

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux