The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
From: "Mantas Mikulėnas" <grawity@gmail.com>
To: gtaylor@tnetconsulting.net
Cc: tuhs@minnie.tuhs.org
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
Date: Mon, 5 Nov 2018 09:24:24 +0200	[thread overview]
Message-ID: <CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com> (raw)
In-Reply-To: <c710dafc-9edc-cd29-3aeb-dc0fa6badeff@spamtrap.tnetconsulting.net>

On Mon, Nov 5, 2018 at 9:19 AM Grant Taylor via TUHS
<tuhs@minnie.tuhs.org> wrote:
>
> On 11/04/2018 08:16 PM, Robert Brockway wrote:
> > I used NIS a lot in the 90s and early 2000s.  I think it continues to be
> > underrated.  The main gripe people had was lack of security but if all
> > of the hosts were in the same security domain anyway it wouldn't matter.
>
> I'd like to hear more about the security issues.
>
> Did NIS(+) ever encrypt it's communications?  (I'm not counting things
> like IPsec transport.)
>
> I'm fairly certain that it was possible to enumerate the directory or
> otherwise scrape most (if not all) of it's contents.

There was `ypcat passwd`, wasn't there?

> > I did a lot of LDAP around 2007-2010.  I got quite good at writing
> > filters as we were using for a lot more than juse user auth.
>
> Ya.  The LDAP filters are why I tried to avoid just using LDAP against
> AD.  That and the fact that the Unix passwords were actually a separate
> field that could have different values from what the Windows systems used.

I would say that expecting to just pull password hashes from the
directory service – using it as nothing more than networked
/etc/shadow – is a bad approach to begin with. Let the client handle
authentication via Kerberos (or via whatever else is apropriate for
AD).

> > Most installations I'm seeing today auth to AD, which is of course now
> > supported.
>
> I'm curious what "supported" actually means.  I think there is
> preconfigured LDAP against AD templates, and things like Samba+Winbind.
> But all seem to be less native / seamless than NIS.


Could you elaborate on that?


> > In my experience LDAP is preferred in a pure *nix environment these
> > days. I've never played much with Kerberos.
>
> Does that mean that the authentication is also done across LDAP?  I hope
> that it's encrypted LDAP.


Standard TLS.

-- 
Mantas Mikulėnas

  reply	other threads:[~2018-11-05  8:50 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-04 20:51 Grant Taylor via TUHS
2018-11-04 21:46 ` Ben Greenfield via TUHS
2018-11-04 22:45 ` Arthur Krewat
2018-11-04 22:58 ` Mantas Mikulėnas
2018-11-04 23:49   ` Warner Losh
2018-11-05  3:16 ` Robert Brockway
2018-11-05  6:08   ` Grant Taylor via TUHS
2018-11-05  7:24     ` Mantas Mikulėnas [this message]
2018-11-05  7:33       ` Mantas Mikulėnas
2018-11-05 16:12       ` Arthur Krewat
2018-11-05 19:32         ` Grant Taylor via TUHS
2018-11-05 22:43           ` Arthur Krewat
2018-11-06  5:25             ` Grant Taylor via TUHS
2018-11-06 16:50               ` Arthur Krewat
2018-11-06 19:43                 ` Grant Taylor via TUHS
2018-11-05 19:27       ` Grant Taylor via TUHS
2018-11-05 19:36       ` Grant Taylor via TUHS
2018-11-05 21:36         ` Mantas Mikulėnas
2018-11-05 23:12           ` Grant Taylor via TUHS
2018-11-05 21:43         ` Ben Greenfield via TUHS
2018-11-06  4:58           ` Grant Taylor via TUHS
2018-11-06 12:59             ` Ben Greenfield via TUHS
2018-11-06  6:53           ` Mantas Mikulėnas
2018-11-06 13:21             ` Ben Greenfield via TUHS
2018-11-06 13:44               ` Mantas Mikulėnas
2018-11-06 14:00                 ` Ben Greenfield via TUHS
2018-11-06 13:46               ` Mantas Mikulėnas
2018-11-05 22:34         ` Dan Cross
2018-11-06  5:24           ` Grant Taylor via TUHS
2018-11-06  7:07             ` Mantas Mikulėnas
2018-11-06 17:30               ` Grant Taylor via TUHS
2018-11-06 19:58                 ` Mantas Mikulėnas
2018-11-06 22:24             ` Dan Cross
2018-11-07  0:35               ` Grant Taylor via TUHS
2018-11-07 11:37                 ` Pete Turnbull
2018-11-07 17:30                   ` Grant Taylor via TUHS
2018-11-07 22:01                     ` Dave Horsfall
2018-11-08  1:48                       ` Dave Horsfall
2018-11-07 23:00                     ` Pete Turnbull
2018-11-07  1:03             ` Pete Turnbull
2018-11-06 12:54           ` Ben Greenfield via TUHS
2018-11-05 20:10     ` Dave Horsfall
2018-11-05  3:49 ` Larry McVoy
2018-11-05  6:12   ` Grant Taylor via TUHS
2018-11-05 19:58     ` Dave Horsfall
2018-11-05 22:53       ` Grant Taylor via TUHS
2018-11-06  1:28         ` Dave Horsfall
2018-11-05 15:44   ` Larry McVoy
2018-11-05 18:38     ` arnold
2018-11-05 19:04       ` Larry McVoy
2018-11-05 21:21         ` Noel Hunt
2018-11-07  8:58         ` arnold
2018-11-07 14:05           ` arnold
2018-11-05 20:48 ` A. P. Garcia
2018-11-05 23:07   ` Grant Taylor via TUHS
2018-11-06  1:46     ` Dan Cross
2018-11-06  5:32       ` Grant Taylor via TUHS
2018-11-06 22:29         ` Dan Cross
2018-11-07  0:40           ` Grant Taylor via TUHS
2018-11-07  1:38           ` Arthur Krewat
2018-11-06  3:03     ` Robert Brockway
2018-11-06  5:03       ` David Arnold
2018-11-06  5:34       ` Grant Taylor via TUHS
2018-11-06 23:59 Norman Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com' \
    --to=grawity@gmail.com \
    --cc=gtaylor@tnetconsulting.net \
    --cc=tuhs@minnie.tuhs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).