On Thu, 2021-10-28 at 10:41 -0400, Simo Sorce wrote: > On Thu, 2021-10-28 at 10:28 -0400, Frank Ch. Eigler wrote: > > Stephen John Smoogen <smooge@xxxxxxxxx> writes: > > > > > Mainly because it is the authentication service equivalent of > > > telnet**. Very simple to set up, very simple to use, and very > > > easy to > > > steal all the information about logins, users, and setups. [...] > > > > ... well, compared to what? LDAP commonly distributes crypttext > > passwords and databases with about the same amount of discernment > > and > > theft-enablement as ypserv. Plaintext as in telnet makes an > > appearance > > nowhere but with yppasswd, AFAIK, which is nonessential. > > LDAP is normally deployed on a secure channel (TLS or GSSAPI), that > the > client can cryptographically check. > > NIS is a clear text protocol that can be trivially MitMed to provide > arbitrary information to the target system. > > Also generally LDAP *does not* in fact distribute passwords, most > systems use the LDAP Bind operation to test a password and the LDAP > server does *not* provide access to password hashes. > > > I thin k it is legitimate to question whether it is yet time to drop > this obsolete protocol (NIS) on backwards compatibility grounds. > But on security grounds it is indefensible, don't go there. There's no question NIS has poor security, as bad a using a local password plus shadow file anyway. People that use it must know that. The valid use is company internal only, on systems whose data is freely available to company personnel and where accounts and groups info. isn't security critical. It's been that way for many, many years ... it's no secret. It's a pity NIS+ was such a pain to setup and use ... a bridge to far IMHO ... Ian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
