[CentOS] NIS failover

Ray Van Dolson rayvd at bludgeon.org
Thu Dec 17 19:54:07 UTC 2009


On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
> On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth at 5-cent.us wrote:
> > 
> > Not one you want to hear: ditch NIS. It's known to have a *lot* of
> > security holes. At the very least, NIS+. Better would be either RH
> 
> 	Out of curiousity, can you point me to writeups of known working
> 	exploits against current yp-family versions on CentOS?
> 
> 	NIS+ is not, the last time I checked, available for Linux; if
> 	my understanding is in error I would very much welcome
> 	correction.

I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well.
The authors noted the irony in NIS outliving that which was meant to
replace it. :)

Main weakness of NIS is that it's pretty easy to just sniff out
potentially valuable information over the wire.  But if you're on a
secure / internal network and have legacy clients to support often
times the reality is you'll need to use NIS.

At work, we still rely on NIS, but hope to integrate with AD at some
point -- however, we'll undoubtedly need some sort of NIS shim that can
talk to the LDAP backend to provide functionality to older, legacy Unix
clients... 

Ray


More information about the CentOS mailing list