Securing NIS (formerly YP)

_Image_ _Image_

The following is a brief compendium of what we at Auburn Univeristy College of Engineering use to secure our NIS networks. We had a mix of about 65% NIS, 35% NIS+ network before dropping NIS+ due to reliability problems and setting all machines to use NIS. The following is our implementation of securing NIS using various vendor patches and free utilities from around the world.

NIS has a reputation of being extremely insecure. If you implement these steps it will lose most if not all of the reasons for this, and you will retain all the administrative advantages of NIS without the security risks. We use NIS on SunOS4 and on Solaris 2.X machines and are a predominantly Sun shop. All other machines may have slightly different results and implementations. Hopefully others will find this useful, though. Here's a list of reasons why you should follow these steps.

  1. People can grab your password map (ypx) from any machine in the world and crack on it remotely using tools such as crack .
  2. It disables several of the holes found by Satan and others.
  3. Local people can use ypcat to grab all the encrypted passwords and crack on them.
  4. Remote people can grab any map in your NIS domain. Some of these may have confidential information. (ypx)



Related Documents