On Fri, 29 Oct 2021 at 01:53, Ian Kent <raven(a)themaw.net> wrote:
On Thu, 2021-10-28 at 10:41 -0400, Simo Sorce wrote:
> On Thu, 2021-10-28 at 10:28 -0400, Frank Ch. Eigler wrote:
> > Stephen John Smoogen <smooge(a)gmail.com> writes:
> > > Mainly because it is the authentication service equivalent of
> > > telnet**. Very simple to set up, very simple to use, and very
> > > easy to
> > > steal all the information about logins, users, and setups. [...]
> > ... well, compared to what? LDAP commonly distributes crypttext
> > passwords and databases with about the same amount of discernment
> > and
> > theft-enablement as ypserv. Plaintext as in telnet makes an
> > appearance
> > nowhere but with yppasswd, AFAIK, which is nonessential.
> LDAP is normally deployed on a secure channel (TLS or GSSAPI), that
> client can cryptographically check.
> NIS is a clear text protocol that can be trivially MitMed to provide
> arbitrary information to the target system.
> Also generally LDAP *does not* in fact distribute passwords, most
> systems use the LDAP Bind operation to test a password and the LDAP
> server does *not* provide access to password hashes.
> I thin k it is legitimate to question whether it is yet time to drop
> this obsolete protocol (NIS) on backwards compatibility grounds.
> But on security grounds it is indefensible, don't go there.
There's no question NIS has poor security, as bad a using a local
password plus shadow file anyway. People that use it must know
As bad as using a local password and shadow file with file permissions
of 0644 (or even 0666 depending on how badly it has been set up).
that. The valid use is company internal only, on systems whose
data is freely available to company personnel and where accounts
and groups info. isn't security critical.
Company internal only is a rarity these days with cloud deployments
and people putting Alexa's and similar devices on the company
internet. That 'smart fridge' in the company workroom or 'smart tv' in
the executive lounge is both an internal and external device. That
'smart speaker' someone stuck on the wireless to play their music is
just as likely to be able to send all that company data out as it is
able to get Conway Twitty into the workplace.
It's been that way for many, many years ... it's no secret.
It's a pity NIS+ was such a pain to setup and use ... a bridge
to far IMHO ...
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Stephen J Smoogen.
I've seen things you people wouldn't believe. Flame wars in
sci.astro.orion. I have seen SPAM filters overload because of Godwin's
Law. All those moments will be lost in time... like posts on a BBS...
time to shutdown -h now.