Stefan van der Eijk wrote:
>
> Pedro,
>
> > Is there any idea/interest to include NIS+ stuff into mandrake?
> Well, when you read about NIS+ at
> http://www.securityportal.com/lasg/servers/authentication/index.html#NIS
> They're not very positive about the security of NIS+. It seems to be
Well that is not very correct. Even in the article, it is noted that
NIS+ tries to issue the problems related to NIS, by using secure RPC
calls.
NIS does not do this and passes a lot of stuff in unencrypted form. A
sniffer and run wild... NIS+ answers for this question.
However, they are quite correct on what is related to this system level
of security. Encryption does not shine in NIS+. But it is better than
nothing. And besides, we cannot state that NIS+ is bad because it does
not answer for everything. Particulalrly, in our networks we use VLANs,
isolate ports and use several tools to avoid intrusions. Meanwhile 80%
of authentication goes through NIS+. There was never a breakin on our
NIS+ systems for nearly 5 years. Never. (well there was one, but because
several backup data was hand copied to a world readable directory...
Well it happens :E)
> quite weak. And NIS+ is difficult to setup. I myself have no experience
Correct. The server side seems a headache for good. However the client
side is quite easy to setup. First note that NIS+ already exists on
Mandrake :). glibc 2.1 does the main job ;). Second, nis_tools builds
in the most usual way (configure, make, make install), no need to roam
over configs or code (well 99% of the cases :), there was a bug in one
tool). Then you need to edit nsswitch.conf. Here some variants can
happen, but most cases are "template-friendly". Also there is some
need to correct pam configurations (redirect authentications) and add a
few modules to pam.
All this can be done more or less automatically and be set in a rpm
package.
The only work-you-have-to-do is:
0: copy /var/nis/NIS_COLD_START from NIS+ server (what some sysadmins
forget to do... there are some "features" with nisinit)
1. Run a few cammands to set up NIS+ connection (details on Kukuk's
site)
1a: Use keylogin -r <password> to start authentication (Kukuk seems to
forget this point)
2. Keep time synchronized between clients/server (NIS+ authentication
highly depends on this)
Kukuk has a page for NIS+: http://www.suse.de/~kukuk/nisplus/index.html
And how to setup non-SUSE Linuxes:
http://www.suse.de/~kukuk/nisplus/other.html
The use of NIS+ tools may turn difficult, but they are mostly needed for
control/monitoring. For a regular user they are unecessary.
> I'd also like to see kerberos in Mandrake. Redhat seems to have it
> (since 6.2?) and M$ seems to be doing "something" with it too ;-) (don't
THAT'S HIGHLY NEEDED... However nothing troubles you of catching RedHat
stuff and implant over Mandrake :)
> flame me on this). And I'd like to see encrypted network filesystem in
> mandrake, like CODA (if it's already in Mandrake then correct me if I'm
> wrong --> I didn't check).
CODA? Well the thing looks pretty but it eats some good resources of the
machine (memory, CPU, I mean). For a fileserver it is cool, but for a
hybrid server it may be too heavy to carry. In one comp CODA eated up
30Mb RAM and was frequently kicking CPU time for a 2500 Gb partition.
>
> Just my $0.02.
(Tax deductions)+(Medical fund)+(Retirement fund)+(Insurance)=$0.0199
>
> Stefan
Ektanoor
