CentOS - Mar 2018 - How insecure is NIS ? Possible alternatives ?

Hi,

In the past I've setup simple centralized authentication with NIS and
NFS, without bothering about possible security implications.

Over the next month I have to setup a new network in a local school, and
I wonder if I should use NIS/NFS. I still have my own documentation,
it's simple and somewhat bone-headed to setup, and it just works.

RHEL/CentOS 7 still provide NIS, and I vaguely wonder how exactly it is
insecure. So I thought I'd simply ask on this list.

I know there's FreeIPA available. I gave it a spin some time ago on a
local machine, but I think it's a bit overkill.

Anyone here who uses central authentication (CentOS server + CentOS
clients) ? Any suggestions ?

Cheers,

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32

> Over the next month I have to setup a new network in a local school, and
> I wonder if I should use NIS/NFS. I still have my own documentation,
> it's simple and somewhat bone-headed to setup, and it just works.
 
In my opionion, there is a serious gap in this area. It's either NIS,
simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management server at a
complexity at least one order of magnitude beyond NIS.

There's also the option of using AD if such infrastructure exists. RH ID
management has been completely dismissed by colleagues who know both it and AD,
and favour the latter.

On Mon, Mar 26, 2018 at 9:07 PM, Nicolas Kovacs <info at microlinux.fr>
wrote:
> Hi,
>
> In the past I've setup simple centralized authentication with NIS and
> NFS, without bothering about possible security implications.
>
> Over the next month I have to setup a new network in a local school, and
> I wonder if I should use NIS/NFS. I still have my own documentation,
> it's simple and somewhat bone-headed to setup, and it just works.
>
> RHEL/CentOS 7 still provide NIS, and I vaguely wonder how exactly it is
> insecure. So I thought I'd simply ask on this list.
>
> I know there's FreeIPA available. I gave it a spin some time ago on a
> local machine, but I think it's a bit overkill.
>
>
Hi, as you why it is insecure the biggest reason is that it is trivial for
a user to get sensitive information about other users.  Particularly things
like password hashes, and with the compute power available today cracking a
hash is not impractical.
It also discourages some of the more standard practices today like user
private groups.

It would still take a fair amount of work but if you want something a
little less than FreeIPA or integrating with AD look into
http://directory.fedoraproject.org/




> Anyone here who uses central authentication (CentOS server + CentOS
> clients) ? Any suggestions ?
>
> Cheers,
>
> Niki
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'?glise - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> T?l. : 04 66 63 10 32
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Am 2018-03-26 10:28, schrieb isdtor:
>> Over the next month I have to setup a new network in a local school, 
>> and
>> I wonder if I should use NIS/NFS. I still have my own documentation,
>> it's simple and somewhat bone-headed to setup, and it just works.
> 
> In my opionion, there is a serious gap in this area. It's either NIS,
> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management
> server at a complexity at least one order of magnitude beyond NIS.
> 
> There's also the option of using AD if such infrastructure exists. RH
> ID management has been completely dismissed by colleagues who know
> both it and AD, and favour the latter.


The issue is that the problem itself isn't simple to begin with.

And so, the solutions have become quite complicated. Windows makes it 
all work quite nicely, apparently - but it works best with Windows.

I recently came across this article:

https://fy.blackhats.net.au/blog/html/2017/05/23/kerberos_why_the_world_moved_on.html


In W10/Server 2016, MSFT has added even more security to Kerberos to 
address the issues glanced at the above article.
Don't have a link for those, it was an article on paper.

Not sure if RedHat is ever going to implement those.


I've got the same problem. We should unify authentication to our 
servers. The problem is that we, being an MSP, operate what I call a 
very "balkanized" environment.
For security-concerns, it was traditionally frowned upon to have a 
single authentication service. So each customer is on its own network 
and users are local.

I'm still looking into RedHat IPA - specifically for its ssh-key 
management and sudoers-file management capabilities - but I'm also 
considering running an internal CA and using certificates to 
authenticate (I'll have to read-up on this). This is AFAIK the way 
people like Facebook or Netflix run their shops.

Usually, if you're not Google, Amazon, Facebook or Netflix, it's also 
not a good idea to try to copy their "patterns" - but this might be an
exception.

Am 2018-03-26 10:46, schrieb Clint Dilks:
> Hi, as you why it is insecure the biggest reason is that it is trivial 
> for
> a user to get sensitive information about other users.  Particularly 
> things
> like password hashes, and with the compute power available today 
> cracking a
> hash is not impractical.

You don't even need to crack them yourself.
If you have the hashes, you can just use rainbow-tables available 
online, sometimes for a small fee.

Still relying on NIS is barely different from not having a password at 
all and just using a login.
In both cases, you have to trust your users - it's no different.

Le 26/03/2018 ? 10:28, isdtor a ?crit?:
> There's also the option of using AD if such infrastructure exists.
There are no Windows clients in the network, only CentOS 7.

-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32

Le 26/03/2018 ? 10:28, isdtor a ?crit :
> In my opionion, there is a serious gap in this area. It's either NIS,
> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management
> server at a complexity at least one order of magnitude beyond NIS.
I gave FreeIPA a spin a while back. I installed it on a sandbox server,
and from what I recall, it pulled in a tsunami of dependencies, and
first thing it wanted to replace my Dnsmasq with BIND... so I didn't
look much further.

-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32