Re: F36 Change: Drop NIS(+) support from PAM (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2021-10-28 at 10:41 -0400, Simo Sorce wrote:
> On Thu, 2021-10-28 at 10:28 -0400, Frank Ch. Eigler wrote:
> > Stephen John Smoogen <smooge@xxxxxxxxx> writes:
> > 
> > > Mainly because it is the authentication service equivalent of
> > > telnet**. Very simple to set up, very simple to use, and very
> > > easy to
> > > steal all the information about logins, users, and setups. [...]
> > 
> > ... well, compared to what?  LDAP commonly distributes crypttext
> > passwords and databases with about the same amount of discernment
> > and
> > theft-enablement as ypserv.  Plaintext as in telnet makes an
> > appearance
> > nowhere but with yppasswd, AFAIK, which is nonessential.
> 
> LDAP is normally deployed on a secure channel (TLS or GSSAPI), that
> the
> client can cryptographically check.
> 
> NIS is a clear text protocol that can be trivially MitMed to provide
> arbitrary information to the target system.
> 
> Also generally LDAP *does not* in fact distribute passwords, most
> systems use the LDAP Bind operation to test a password and the LDAP
> server does *not* provide access to password hashes.
> 
> 
> I thin k it is legitimate to question whether it is yet time to drop
> this obsolete protocol (NIS) on backwards compatibility grounds.
> But on security grounds it is indefensible, don't go there.

There's no question NIS has poor security, as bad a using a local
password plus shadow file anyway. People that use it must know
that. The valid use is company internal only, on systems whose
data is freely available to company personnel and where accounts
and groups info. isn't security critical.

It's been that way for many, many years ... it's no secret.

It's a pity NIS+ was such a pain to setup and use ... a bridge
to far IMHO ... 

Ian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux