[CentOS] How insecure is NIS ? Possible alternatives ?
rainer at ultra-secure.de
rainer at ultra-secure.de
Mon Mar 26 08:57:58 UTC 2018
Am 2018-03-26 10:28, schrieb isdtor:
>> Over the next month I have to setup a new network in a local school,
>> and
>> I wonder if I should use NIS/NFS. I still have my own documentation,
>> it's simple and somewhat bone-headed to setup, and it just works.
>
> In my opionion, there is a serious gap in this area. It's either NIS,
> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management
> server at a complexity at least one order of magnitude beyond NIS.
>
> There's also the option of using AD if such infrastructure exists. RH
> ID management has been completely dismissed by colleagues who know
> both it and AD, and favour the latter.
The issue is that the problem itself isn't simple to begin with.
And so, the solutions have become quite complicated. Windows makes it
all work quite nicely, apparently - but it works best with Windows.
I recently came across this article:
https://fy.blackhats.net.au/blog/html/2017/05/23/kerberos_why_the_world_moved_on.html
In W10/Server 2016, MSFT has added even more security to Kerberos to
address the issues glanced at the above article.
Don't have a link for those, it was an article on paper.
Not sure if RedHat is ever going to implement those.
I've got the same problem. We should unify authentication to our
servers. The problem is that we, being an MSP, operate what I call a
very "balkanized" environment.
For security-concerns, it was traditionally frowned upon to have a
single authentication service. So each customer is on its own network
and users are local.
I'm still looking into RedHat IPA - specifically for its ssh-key
management and sudoers-file management capabilities - but I'm also
considering running an internal CA and using certificates to
authenticate (I'll have to read-up on this). This is AFAIK the way
people like Facebook or Netflix run their shops.
Usually, if you're not Google, Amazon, Facebook or Netflix, it's also
not a good idea to try to copy their "patterns" - but this might be an
exception.
More information about the CentOS
mailing list