[CentOS] Setting up NIS on Centos 8

Sun Dec 6 20:01:17 UTC 2020
Gordon Messmer <gordon.messmer at gmail.com>

On 12/6/20 8:17 AM, Nicolas Kovacs wrote:
> The main problem with NIS is that logins and passwords circulate in clear-text
> over the network.


That's not quite it.  Passwords aren't sent over the network at all when 
a service or system processes a password in a NIS environment.  Under 
NIS, member systems request password hashes (usually the "shadow" YP 
map) over a plain-text channel.  But that's probably lower risk than the 
fact that the NIS server will hand those hashes out to anyone who can 
physically (or virtually, often) connect a system of their own to the 
networks that the NIS server trusts.  The issue of plain-text 
transmission over the network is a security risk if the attacker 
controls the network and can examine network traffic.  But that's 
usually harder to achieve than simply connecting a system of your own 
and requesting the data.  So, the risk is simply that password hashes 
are published.

On the other hand, we should not that NIS can be used for user 
information in combination with a separate system for user 
authentication, such as Kerberos, and that configuration doesn't suffer 
most of the security risks of an all-NIS network.