From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id e336b9f9 for ; Mon, 5 Nov 2018 08:50:39 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 3EF5DA23FF; Mon, 5 Nov 2018 18:50:38 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 8F752A1FBC; Mon, 5 Nov 2018 18:50:08 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id E599AA21FD; Mon, 5 Nov 2018 17:24:41 +1000 (AEST) Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) by minnie.tuhs.org (Postfix) with ESMTPS id 8E664A1FBC for ; Mon, 5 Nov 2018 17:24:36 +1000 (AEST) Received: by mail-ot1-f47.google.com with SMTP id t5so3443648otk.1 for ; Sun, 04 Nov 2018 23:24:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=JOwRzKp7CcfplHq0DJnCV4U+qPJ4nnACbfLVMcq9hLk=; b=QH7/8BauqLkvqcKqH7rIHxXJdVu7kWSeJyTt0m63JKmMAJAvEvfba95OoZxkEO8Yja NUxdF5rdevFguGLvTkp3cxcrJizu+PbqJNJiWKJgP1T6Rsp7o0hdD74nSbFR5MkgUkYQ 9Kgi2TYcv7NukQH3EeS8x46Pht32p4+iD5yyoF6bA5Qg9BcKWkdk8DzpOiJzs7oWp5yE xj1OCRzXPFNlJNOOQnrfZEKE0lz4VuGZ/NuOLaq6f+02+FmY7OV0ObyArCn0g+a0MLNH aCUQQLxMcwklWLzejGT7niVLyMt+UjcoQMgprp5kEpslk6/k8jXClHFHbveMafPCUger I5IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JOwRzKp7CcfplHq0DJnCV4U+qPJ4nnACbfLVMcq9hLk=; b=eL5dAaRBNk83wDT7tXPIY9gIdCINzpTOpZ5vFRZlaemJjuVxgu+qMkrUE+Zu3EpJIS CaWPXBF4roNS4oCn0YW7opmu3aXMQrT9N3sQGIcv+7B2t44DJ9a4K58pwy/quVXFBTH8 XdzRslgTkVVfiby7nHi829LDVlWq9C+DBjMFIlu4k4Gvqq1huuz2NKjSkNNLEdKUWEvI zbtkRDIF+GE6PTOO9dNhW75VJIBO/Afsyx1Sw9kjibvykD2EFO8e7BV/IKcT2ssPfFfM vp6yAM9JJDtKveMuuCeuP1rD2azNqPS4+FiVKdYZS5rDjR0/PzeSbfuIWmFNl3B+OB1a mJ4w== X-Gm-Message-State: AGRZ1gIEtK8iANCq4JfVUNXQn4KDMAh0DJM5M38Vnh9cZgbGa/wdFcRz s7XLzmPr3ga+szofJAchs7wIx9iTFuUc3ll2K8gaeA== X-Google-Smtp-Source: AJdET5dUarlt5KaNpS4h2lfNSUElS4huG7kx88P+M2RtZ31iP1CKVXfgjPrXyP2sxd1AQhDWqrgDt5DqsGaSAF2trKU= X-Received: by 2002:a9d:6315:: with SMTP id q21mr13631884otk.174.1541402675702; Sun, 04 Nov 2018 23:24:35 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?Q?Mantas_Mikul=C4=97nas?= Date: Mon, 5 Nov 2018 09:24:24 +0200 Message-ID: To: gtaylor@tnetconsulting.net Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: tuhs@minnie.tuhs.org Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On Mon, Nov 5, 2018 at 9:19 AM Grant Taylor via TUHS wrote: > > On 11/04/2018 08:16 PM, Robert Brockway wrote: > > I used NIS a lot in the 90s and early 2000s. I think it continues to b= e > > underrated. The main gripe people had was lack of security but if all > > of the hosts were in the same security domain anyway it wouldn't matter= . > > I'd like to hear more about the security issues. > > Did NIS(+) ever encrypt it's communications? (I'm not counting things > like IPsec transport.) > > I'm fairly certain that it was possible to enumerate the directory or > otherwise scrape most (if not all) of it's contents. There was `ypcat passwd`, wasn't there? > > I did a lot of LDAP around 2007-2010. I got quite good at writing > > filters as we were using for a lot more than juse user auth. > > Ya. The LDAP filters are why I tried to avoid just using LDAP against > AD. That and the fact that the Unix passwords were actually a separate > field that could have different values from what the Windows systems used= . I would say that expecting to just pull password hashes from the directory service =E2=80=93 using it as nothing more than networked /etc/shadow =E2=80=93 is a bad approach to begin with. Let the client handl= e authentication via Kerberos (or via whatever else is apropriate for AD). > > Most installations I'm seeing today auth to AD, which is of course now > > supported. > > I'm curious what "supported" actually means. I think there is > preconfigured LDAP against AD templates, and things like Samba+Winbind. > But all seem to be less native / seamless than NIS. Could you elaborate on that? > > In my experience LDAP is preferred in a pure *nix environment these > > days. I've never played much with Kerberos. > > Does that mean that the authentication is also done across LDAP? I hope > that it's encrypted LDAP. Standard TLS. --=20 Mantas Mikul=C4=97nas