[CentOS] NIS or not?

Wed Jan 29 10:08:46 UTC 2014
Jeffrey Hass <xaccusa at gmail.com>

Hey Sorin,

I'm getting ready to catch a plane to Dubai but wanted to answer you 
real quick and short:
SSL for smaller networks in terms of authentication is fine and secure - 
as long as your infrastructure is secure.

I'm glad to hear your using VM's more and more. It give you a lot more 
control to manipulate, change and
recover from 'all kinds of errors' - tweaking .conf files, someone 
having 'root' or 'admin' on you
as you have to trust someone/sometime...

.. anyway, um, I'm hoping you consider the SSL implementation if you 
have to do something 'quick..'
if not, Kerberos will certainly help you from getting 'fired ..' it 
won't be the reason you do anyway..

About the previous post about IPA - you're hitting LDAP anyway (that is 
AD) and probably a few more out there
if you're somewhat of 'shop' with stuff everywhere......

IPA was hacked by a user group (exploit) in Seattle - and you get what 
'you don't pay for' sometimes.

Having said this, all these tools at the end of the day generally get 
the job done, the truth is 'what are you protecting..'
and from 'what..' usually determines the component and/or tool you'd 
want to entertain.

Once you have it in-house // and your name is on it.. // and it's in 
Production, really HARD to back out, in some
cases impossible.. Case in point:  TARGET was hacked by a 17-year old 
punk with no date on a Friday night...
... and, well, they went from an 'openSource (which I FIRMLY believe 
in)' to a mix-bag implementation to include
Oracle and IBM SSO/IdM implementation .. They removed Kerberos out of 
the equation - mixed SSL with a non-REAL x.500
compliant LDAP, we can say it has the letters DA in it but you can 
'reverse' that and come up with a name...
....and then, so it goes, BAM! someone's inside.. You see, the problem 
here is many will jump in and recommend
a solution because 'they worked with it... and in most cases, IT IS all 
they know...'  You drive this car, you love it
more than all other cars but have yet to drive the other cars and see 
for yourself... Point is, milage may vary and WILL
and I will say this in my last post here on this thread, I've been in 
court as a witness during DoD audits
and it was always, 'we went with a solution' that was proven and tried.. 
and recommended...
TRIED by who? Recommended by who?? Best practices?? Just a collective 
agreement by a bunch of
dweebs that say, yeah, that sounds right.

Message is:  For what you need Kerberos would work and should work. 
Enough documentation out there...
and such to help you... Also, YouTube, believe it or not has a lot of 
posts (many by myself but in my alter ego name, which are many)
even this name is not real, but as I was saying - a ton of info.

It's funny what qualifies as a guru as at one time there was no Google 
to get an answer and rattle a 'solution'
All my recommends is actual dogfood I have eaten and I don't want to see 
the same thing
happen to others as this Security business is getting out of hand with 
all 'these experts' that truly
don't have the heart to do what you're doing and get it done right and 
to care enough to do that.

SSL is implemented on every WebApplication Server, product that is 
Internet based except UDP - good luck
with that... but having said that, you can surely -- do this with SSL 
and/or Kerberos.. Anything else, you're
going to pay for it.

Here's a snip and it comes down to your infrastructure, what you do for 
a business, who your audience is/what they do
once they do have access.. who wants your information, risk assessment 
is big here... and then there you go.

If you really wanted security.. you'd put another wrapper around this 
using a SSO tool, Access Manager -- and combined the Kerberos ticket
into the packet once the SSL header is created with the credentials and 
CERT it down the wire.
NO ONE IS GETTING IN, especially that 17-year old with a runny nose that 
mom is paying for his college is trying
to do... Crazy world... Too bad we can meet these guys in person.. It 
would be a whole different world.

Sorry so long.. I post a few times of year to help those that are really 
burning the oil at night.

GOOD LUCK.

1. Kerberos SSL/TLS
2. LDAP has industrial strength protection build in if you hash the 
passwords/encrpt
3. Stay away from ANYTHING MICROSOFT security - Enter: Oxy-moronic
4. An openSource SSO tool built on JBoss or Tomcat

THis is the real world right now..

And if anyone challenges, like the song says, it surely means they don't 
know: Carry on.......


Wizard of Hass


--

Real men write their own device drivers ~  A. Tuckett


On 1/29/2014 1:49 AM, Sorin Srbu wrote:
>> -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of Jeffrey Hass
>> Sent: den 29 januari 2014 09:49
>> To: CentOS mailing list
>> Subject: Re: [CentOS] NIS or not?
>>
>> Good call - not sure how far your coding goes and with what/how
>> languages and scripts...
>> Make sure to have as much as possible on VM's related to your security
>> 'servers' -- so that you also get a virtual built in Disaster recovery as
>> well.
> My Google Fu is usually okay. ;-)
>
> We've started offing physical servers in favour of virtual ones. So far mostly
> Windows servers, but I've started testing e.g.  Owncloud on a virtualized
> CentOS guest.  More Linux-machines are likely to be virtualized in due time.
> We (well, I actually...) decided on standardizing on Hyper-V as there was a
> really good P2V-tool available for migrating Windows servers. We had lots of
> them...
>
>
>> Note: I didn't catch it are you using the Microsoft's implementation of
>> Kerberos?
> We do have a Windows AD in place, it's the main IT here, but it's soon to be
> migrated to the central university IT-dept. One less thing to worry about...
> *nix was originally only a group-business at the dept., but over the years the
> Linux-ratio has upped considerably, what with backup-servers etc. running on
> Linux as well as us affording more machines for the original CADD-group.
>
>
>> There's a reason I ask, you said you need to do something,, sounds like
>> fairly quick, probably a good thing,
>> if nothing else get centralization = control! - more so -- than before ~
>> and so it goes, you will have encapsulated
>> tickets on steroids, to be sure.. but if you're the only person.. is
>> your shop that big that SSL wouldn't do the trick?
> SSL? How do you mean? Can you elaborate a bit?
>
> --
> //Sorin
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos