On Fri, 29 Oct 2021 at 01:53, Ian Kent <raven@xxxxxxxxxx> wrote: > > On Thu, 2021-10-28 at 10:41 -0400, Simo Sorce wrote: > > On Thu, 2021-10-28 at 10:28 -0400, Frank Ch. Eigler wrote: > > > Stephen John Smoogen <smooge@xxxxxxxxx> writes: > > > > > > > Mainly because it is the authentication service equivalent of > > > > telnet**. Very simple to set up, very simple to use, and very > > > > easy to > > > > steal all the information about logins, users, and setups. [...] > > > > > > ... well, compared to what? LDAP commonly distributes crypttext > > > passwords and databases with about the same amount of discernment > > > and > > > theft-enablement as ypserv. Plaintext as in telnet makes an > > > appearance > > > nowhere but with yppasswd, AFAIK, which is nonessential. > > > > LDAP is normally deployed on a secure channel (TLS or GSSAPI), that > > the > > client can cryptographically check. > > > > NIS is a clear text protocol that can be trivially MitMed to provide > > arbitrary information to the target system. > > > > Also generally LDAP *does not* in fact distribute passwords, most > > systems use the LDAP Bind operation to test a password and the LDAP > > server does *not* provide access to password hashes. > > > > > > I thin k it is legitimate to question whether it is yet time to drop > > this obsolete protocol (NIS) on backwards compatibility grounds. > > But on security grounds it is indefensible, don't go there. > > There's no question NIS has poor security, as bad a using a local > password plus shadow file anyway. People that use it must know As bad as using a local password and shadow file with file permissions of 0644 (or even 0666 depending on how badly it has been set up). > that. The valid use is company internal only, on systems whose > data is freely available to company personnel and where accounts > and groups info. isn't security critical. > Company internal only is a rarity these days with cloud deployments and people putting Alexa's and similar devices on the company internet. That 'smart fridge' in the company workroom or 'smart tv' in the executive lounge is both an internal and external device. That 'smart speaker' someone stuck on the wireless to play their music is just as likely to be able to send all that company data out as it is able to get Conway Twitty into the workplace. > It's been that way for many, many years ... it's no secret. > > It's a pity NIS+ was such a pain to setup and use ... a bridge > to far IMHO ... > > Ian > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Stephen J Smoogen. I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on a BBS... time to shutdown -h now. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
