Chapter 11 - Encrypting UNIX client logins (NIS, NDS, etc.)


By Kurt Seifried, [email protected], Copyright Kurt Seifried



There are several protocols that UNIX systems can use to share user data and authenticate users remotely. The most popular, by far, method of sharing account information within a UNIX environment is NIS or NIS+, with NFS integrating nicely for file sharing. Another option (especially if your system supports PAM) is to use SMB authentication (i.e. what Microsoft uses with NT Server 4.0), as tying it in to an existing infrastructure (as opposed to building something new) can save costs and trouble. An emerging option is to authenticate via Novell Directory Services, NDS has been ported to Tru64, Linux, FreeBSD and a number of other platforms. Client side software used to be available for Linux (specifically Caldera and Red Hat), and I am not sure of client side software for other UNIX platforms.


Network Information Service (formerly known as Yellow Pages) provides account data (names, passwords, etc.) in a relatively convenient, but insecure manner. The data is moved across the network in it's native fashion, meaning usernames go across as clear text, and the password hashes are sent without any additional protection (thus if you use shadow passwords to protect the passwords, using NIS negates that rather quickly). NIS+ provides an additional layer of security in the form of DES encryption (56 bits) which will prevent any casual attackers, but not a determined attacker. NIS+ has traditionally been a pain to setup, however there has been much work on it in the last year or two (especially in the Linux camp), so installation and configuration is much easier then in past. - - Managing NFS and NIS


Server Message Block is the protocol used by Windows to move data around for authenticating users (among other things). You have to explicitly disable NT Lanman encrypted passwords (granted the encryption is not perfect, it is much better then nothing) when installing the SMB PAM modules, so please do not. You can also get the modules in binary format for a variety of Linux systems.


NDS client support is available for Caldera Linux, the package is called "nwclient" (nwclient-xxx-xxx.i386.rpm for example). Novell supports several levels of signature of network packets (please note that the more you use, the slower things will be). There are 4 levels of packet signatures:

Obviously the highest level of security is Level 4, but this may seriously degrade network performance. For most network enabling Level 3 on the server, and then enabling sensitive clients (such as administrative machines) should be sufficient. Use MONITOR.NLM to go to "Server Parameters" and choose the NCP category. You can also set it at the console (or using rconsole of course) with:


or to whichever level you desire.

[ Back | TOC | Forwards]