NIS Server SecurityLinux Network Administrators GuidePrevChapter 13. The Network Information SystemNextNIS Server Security
NIS used to have a major security flaw: it left your password file
readable by virtually anyone in the entire Internet, which made for
quite a number of possible intruders. As long as an intruder knew your
NIS domain name and the address of your server, he could simply send
it a request for the passwd.byname map and
instantly receive all your system's encrypted passwords. With a fast
password-cracking program like crack and a good
dictionary, guessing at least a few of your users' passwords is rarely
a problem.
This is what the securenets option is all
about. It simply restricts access to your NIS server to certain hosts,
based on their IP addresses or network numbers. The latest version of
ypserv implements this feature in two ways. The
first relies on a special configuration file called
/etc/ypserv.securenets and the second
conveniently uses the /etc/hosts.allow and
/etc/hosts.deny files we already encountered in
Chapter 12.[1]
Thus, to restrict access to hosts from within the Brewery, their
network manager would add the following line to
hosts.allow :
ypserv: 172.16.2.This would let all hosts from IP network 172.16.2.0 access the NIS server. To
shut out all other hosts, a corresponding entry in
hosts.deny would have to read:
ypserv: ALLIP numbers are not the only way you can specify hosts or networks in
hosts.allow and hosts.deny. Please
refer to the hosts_access(5) manual page on your system
for details. However, be warned that you cannot use host
or domain names for the ypserv entry.
If you specify a hostname, the server tries to resolve this hostname—but
the resolver in turn calls ypserv, and you fall into an
endless loop.
To configure securenets security
using the /etc/ypserv.securenets method, you need
to create its configuration file, /etc/ypserv.securenets.
This configuration file is simple
in structure. Each line describes a host or network of hosts that will be
allowed access to the server. Any address not described by an entry in this
file will be refused access. A line beginning with a # will be
treated as a comment. Example 13-1 shows what a simple /etc/ypserv.securenets
would look like:Example 13-1. Sample ypserv.securenets File# allow connections from local host -- necessary
host 127.0.0.1
# same as 255.255.255.255 127.0.0.1
#
# allow connections from any host on the Virtual Brewery network
255.255.255.0 172.16.1.0
#The first entry on each line is the netmask to use for the entry, with
host being treated as a special
keyword meaning “netmask 255.255.255.255.” The second entry
on each line is the IP address to which to apply the netmask.A third option is to use the secure portmapper instead of the
securenets option in
ypserv. The secure portmapper
(portmap-5.0) uses the hosts.allow scheme as well, but
offers this for all RPC servers, not just ypserv.[2]
However, you should not use both the securenets option and the secure
portmapper at the same time, because of the overhead this
authorization incurs.Notes[1] To
enable use of the /etc/hosts.allow method, you may
have to recompile the server. Please read the instructions in the
README included in the distribution.[2]The secure portmapper is available via anonymous FTP from
ftp.win.tue.nl below the
/pub/security/ directory.PrevHomeNextRunning an NIS ServerUpSetting Up an NIS Client with GNU libc
Wyszukiwarka
Podobne podstrony:
x 087 2 nis shadowx 087 2 nisx 087 2 nis serverx 087 2 nis ypx 087 2 nis clientsx 087 2 nis passwdx 087 2 nis nsswitchx 087 2 nis nisplusNIS HOWTO pl 1 (2)x 087 2 accounting zeroing counterNIS HOWTO pl 8 (2)x 087 2 cnews miscx 087 2 cnews nfsx 087 2 mail deliveryx 087 2 masq namelookupsx 087 2 firewall filteringmethodswięcej podobnych podstron