We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
Any advice?
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
Any advice?
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security.
mark
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH
Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS?
NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction.
John
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH
Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS?
NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction.
I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well. The authors noted the irony in NIS outliving that which was meant to replace it. :)
Main weakness of NIS is that it's pretty easy to just sniff out potentially valuable information over the wire. But if you're on a secure / internal network and have legacy clients to support often times the reality is you'll need to use NIS.
At work, we still rely on NIS, but hope to integrate with AD at some point -- however, we'll undoubtedly need some sort of NIS shim that can talk to the LDAP backend to provide functionality to older, legacy Unix clients...
Ray
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS?
The problem isn't an exploit of the specific tools; the whole mechanism is insecure, unless you use secureRPC everywhere.
For example, there's no verification that the server you are bound to is, indeed, a valid server for the network and not a rogue sending out bad data. (Opens you to many MITM attacks).
Exposure of passwords? Well, the crypt string, anyway. If you're not using md5 password encryption everywhere then you've opened yourself to simple brute-force attacks on your network.
No validation that client machines are authorized to see the data (I plug a machine into your network and can grab all the data from NIS, to hack against in my own time... and forget about the pseudo 'shadow' map in that case!)
And so on.
After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit.
Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems.
Peter
On Thu, Dec 17, 2009 at 11:50 AM, John R. Dennison jrd@gerdesas.com wrote:
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH
Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. John-- We cannot do everything at once, but we can do something at once.
-- Calvin Coolidge (1872-1933), 30th president of the United States
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 18 Dec 2009, Peter Serwe wrote:
After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit.
Agreed.
Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems.
Astonishing.
-s
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH
NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the Solaris training courses barely mentioned NIS and had 2 or 3 chapters on NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+ at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+.
directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security.
The problem with LDAP is that it's a lot slower than NIS, and nscd is essential in order to get even minimally adequate performance. Unfortunately. I say "unfortunately" because in many respects LDAP is superior to NIS (especially with respect to security). Just not needing crypt strings is a big win. I use it at work, but very carefully :-)
NIS is insecure, but it has a massive advantage of being fast and (normally) "just works". Evaluate the security in your environment and determine if the risk is acceptable.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
4845 using
ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
Any advice?
So, avoiding the security flamewars...
It seems that it behaves slightly different than I indicated before.
Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3) = 0 uname({sys="Linux", node="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ...}) = 0 open("/var/yp/nicknames", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, "passwd\t\tpasswd.byname\ngroup\t\tgro"..., 4096) = 185 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2a98807000, 4096) = 0 open("/var/yp/binding/XXXXXXXXXXXXXXXXXXX.2", O_RDONLY) = 3 pread(3, "\1\0\0\0\300\250\1"\2\315\0\0", 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid() = 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3) = 0 close(4) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out) close(3) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("192.168.1.34")}, 16 <unfinished ...>
Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
4845 using
ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
Any advice?
So, avoiding the security flamewars...
It seems that it behaves slightly different than I indicated before.
Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3) = 0 uname({sys="Linux", node="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ...}) = 0 open("/var/yp/nicknames", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, "passwd\t\tpasswd.byname\ngroup\t\tgro"..., 4096) = 185 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2a98807000, 4096) = 0 open("/var/yp/binding/XXXXXXXXXXXXXXXXXXX.2", O_RDONLY) = 3 pread(3, "\1\0\0\0\300\250\1"\2\315\0\0", 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid() = 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3) = 0 close(4) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out) close(3) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("192.168.1.34")}, 16 <unfinished ...>
Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds.
--
-- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis
But have had problems if we use broadcast. :)
On Fri, Dec 18, 2009 at 09:51:24AM +1300, Clint Dilks wrote:
How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis
You also need to ensure you can resolve "nis" and "nis2" without using NIS, so you may also need to them into /etc/hosts and ensure nsswitch.conf hosts entry begins with "files".
Jason Pyeron wrote:
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
We've been using NIS like this for years - failover works just fine. In fact that is one of things I like about NIS, failover is built in and works with virtually no extra set up ...
What do you have in your /etc/yp.conf ?
James Pearson
On Thu, Dec 17, 2009 at 11:37 AM, Jason Pyeron jpyeron@pdinc.us wrote:
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed.
It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.
It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
Any advice?
Are you broadcasting for the a NIS sever?
Probably should post your /etc/yp.conf file.
-
Agile Aspect -
Clint Dilks -
Drew -
James Pearson -
Jason Pyeron -
John R. Dennison -
m.roth@5-cent.us -
Peter Serwe -
Ray Van Dolson -
Stephen Harris -
Steve Thompson