By Kurt Seifried [email protected]
There are a variety of methods to share authentication data between systems. This is an increasingly common task as networks become more distributed, access points more numerous, and users scatter away from the traditional corporate LAN.
NIS and NIS+ (formally known as yellow pages) stands for Network Information Service. Essentially NIS and NIS+ provide a means to distribute password files, group files, and other configuration files across many machines, providing account and password synchronization (among other services). NIS+ is essentially NIS with several enhancements (mostly security related), otherwise they are very similar.
To use NIS you set up a master NIS server that will contain the records and allow them to be changed (add users, etc), this server can distribute the records to slave NIS machines that contain a read only copy of the records (but they can be promoted to master and set read/write if something bad happens). Clients of the NIS network essentially request portions of the information and copy it directly into their configuration files (such as /etc/passwd), thus making them accessible locally. Using NIS you can provide several thousand workstations and servers with identical sets of usernames, user information, passwords and the like, significantly reducing administration nightmares.
However this is part of the problem: in sharing this information you make it accessible to attackers. NIS+ attempts to resolve this issue however, but NIS+ is an utter nightmare to set up. NIS+ uses secure RPC, which can make use of single DES encryption (which I personally feel is to weak to even bother with). I would not recommend relying on the single DES encryption of secure RPC to secure your NIS data.
An alternative strategy would be to use some sort of VPN (like FreeS/WAN, which seems to solve a lot of problems) and encrypt the data before it gets onto the network. There is an NIS / NIS+ HOWTO at: http://www.linuxdoc.org/HOWTO/NIS-HOWTO/ , and OReilly has an excellent book on the subject, "Managing NFS and NIS". NIS / NIS+ runs over RPC which uses port 111, both tcp and udp. This should definitely be blocked at your network border, but will not totally protect NIS / NIS+. Because NIS and NIS+ are RPC based services they tend to use higher port numbers (i.e. above 1024) in a somewhat random fashion, making firewalling of it rather difficult. The best solutions is to place your NIS server(s) on an internal network that is blocked completely from talking to the Internet, inbound and outbound. There is also an excellent paper on securing NIS available from: http://www.eng.auburn.edu/users/doug/nis.html.
ipfwadm -I -a accept -P udp -S 10.0.0.0/8 -D 0.0.0.0/0 111
ipfwadm -I -a accept -P udp -S some.trusted.host -D 0.0.0.0/0 111
ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 111
or
ipchains -A input -p udp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0
111
ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d
0.0.0.0/0 111
ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 111
Kerberos is a modern network authentication system based on the idea of handing a user a ticket once they have authenticated to the Kerberos server (similar to NTs use of tokens). Kerberos is available from: http://web.mit.edu/kerberos/www/. The Kerberos FAQ is available at: http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. Kerberos is appropriate for large installations as it scales better and is more secure then NIS / NIS+. Kerberizing programs such as telnet, imap and pop can be achieved with some effort, Windows clients with Kerberos support are harder to find however.
Radius is a commonly used protocol to authenticate dial-in users, and other types of network access. Many radius servers are available, check freshmeat.
http://members.iinet.net.au/~michael/radius.html
Last updated on 1/9/2001
Copyright Kurt Seifried 2001 [email protected]