Re: [CentOS] NIS failover
After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit. Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. Peter On Thu, Dec 17, 2009 at 11:50 AM, John R. Dennison j...@gerdesas.com wrote: On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. John -- We cannot do everything at once, but we can do something at once. -- Calvin Coolidge (1872-1933), 30th president of the United States ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Fri, 18 Dec 2009, Peter Serwe wrote: After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit. Agreed. Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. Astonishing. -s ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. {{citation needed}} :-) -- Drew Nothing in life is to be feared. It is only to be understood. --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. John -- We cannot do everything at once, but we can do something at once. -- Calvin Coolidge (1872-1933), 30th president of the United States pgpoTba4YQaYF.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote: On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well. The authors noted the irony in NIS outliving that which was meant to replace it. :) Main weakness of NIS is that it's pretty easy to just sniff out potentially valuable information over the wire. But if you're on a secure / internal network and have legacy clients to support often times the reality is you'll need to use NIS. At work, we still rely on NIS, but hope to integrate with AD at some point -- however, we'll undoubtedly need some sort of NIS shim that can talk to the LDAP backend to provide functionality to older, legacy Unix clients... Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the Solaris training courses barely mentioned NIS and had 2 or 3 chapters on NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+ at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+. directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security. The problem with LDAP is that it's a lot slower than NIS, and nscd is essential in order to get even minimally adequate performance. Unfortunately. I say unfortunately because in many respects LDAP is superior to NIS (especially with respect to security). Just not needing crypt strings is a big win. I use it at work, but very carefully :-) NIS is insecure, but it has a massive advantage of being fast and (normally) just works. Evaluate the security in your environment and determine if the risk is acceptable. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote: Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? The problem isn't an exploit of the specific tools; the whole mechanism is insecure, unless you use secureRPC everywhere. For example, there's no verification that the server you are bound to is, indeed, a valid server for the network and not a rogue sending out bad data. (Opens you to many MITM attacks). Exposure of passwords? Well, the crypt string, anyway. If you're not using md5 password encryption everywhere then you've opened yourself to simple brute-force attacks on your network. No validation that client machines are authorized to see the data (I plug a machine into your network and can grab all the data from NIS, to hack against in my own time... and forget about the pseudo 'shadow' map in that case!) And so on. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508 4845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? So, avoiding the security flamewars... It seems that it behaves slightly different than I indicated before. Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3)= 0 uname({sys=Linux, node=xxx, ...}) = 0 open(/var/yp/nicknames, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, passwd\t\tpasswd.byname\ngroup\t\tgro..., 4096) = 185 read(3, , 4096) = 0 close(3)= 0 munmap(0x2a98807000, 4096) = 0 open(/var/yp/binding/XXX.2, O_RDONLY) = 3 pread(3, \1\0\0\0\300\250\1\\2\315\0\0, 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid()= 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3)= 0 close(4)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16) = -1 ETIMEDOUT (Connection timed out) close(3)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16 unfinished ... Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Jason Pyeron wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508 4845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? So, avoiding the security flamewars... It seems that it behaves slightly different than I indicated before. Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3)= 0 uname({sys=Linux, node=xxx, ...}) = 0 open(/var/yp/nicknames, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, passwd\t\tpasswd.byname\ngroup\t\tgro..., 4096) = 185 read(3, , 4096) = 0 close(3)= 0 munmap(0x2a98807000, 4096) = 0 open(/var/yp/binding/XXX.2, O_RDONLY) = 3 pread(3, \1\0\0\0\300\250\1\\2\315\0\0, 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid()= 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3)= 0 close(4)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16) = -1 ETIMEDOUT (Connection timed out) close(3)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16 unfinished ... Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis But have had problems if we use broadcast. :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Jason Pyeron wrote: We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. We've been using NIS like this for years - failover works just fine. In fact that is one of things I like about NIS, failover is built in and works with virtually no extra set up ... What do you have in your /etc/yp.conf ? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Fri, Dec 18, 2009 at 09:51:24AM +1300, Clint Dilks wrote: How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis You also need to ensure you can resolve nis and nis2 without using NIS, so you may also need to them into /etc/hosts and ensure nsswitch.conf hosts entry begins with files. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 11:37 AM, Jason Pyeron jpye...@pdinc.us wrote: We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? Are you broadcasting for the a NIS sever? Probably should post your /etc/yp.conf file. -- Enjoy global warming while it lasts. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos