On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote: > On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth at 5-cent.us wrote: > > > > Not one you want to hear: ditch NIS. It's known to have a *lot* of > > security holes. At the very least, NIS+. Better would be either RH > > Out of curiousity, can you point me to writeups of known working > exploits against current yp-family versions on CentOS? > > NIS+ is not, the last time I checked, available for Linux; if > my understanding is in error I would very much welcome > correction. I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well. The authors noted the irony in NIS outliving that which was meant to replace it. :) Main weakness of NIS is that it's pretty easy to just sniff out potentially valuable information over the wire. But if you're on a secure / internal network and have legacy clients to support often times the reality is you'll need to use NIS. At work, we still rely on NIS, but hope to integrate with AD at some point -- however, we'll undoubtedly need some sort of NIS shim that can talk to the LDAP backend to provide functionality to older, legacy Unix clients... Ray