Hi, On Wed, Apr 20, 2022 at 10:57:58AM -0700, Steve Langasek wrote:
> So I'd like to take a step back and challenge an underlying assumption by > asking: do any of our users actually *need* this functionality? The RPC > functionality is only used for NIS and NIS+. NIS is historically quite > insecure, and I'm not aware of any efforts to improve its security (AFAIK > the linkage of the crypto libraries doesn't fix the fundamentally insecure > interfaces of NIS). NIS+ is intended to be a more secure version of NIS, > but to my knowledge there has never been a free implementation in the > archive; this was a Sun-specific technology, which Sun deprecated two > decades ago[1]. > > If we dropped support for NIS and NIS+ in the next Debian release, would > anybody miss it? Or has everyone moved on to LDAP / AD by now? NIS still has uses in small, closed environments where setting up LDAP would be overkill, or if you have to interface with some ancient systems. NIS+ was a nice idea in its own time, and it allowed making NFS more secure before RPCSEC_GSS took over. However, the strength of the crypto used by NIS+ probably does not worth much today anymore, so I'd be surprised if anyone still used it on Linux. Doing a quick check, PAM only seems to rely on the RPC libraries for changing NIS passwords. Personally, I think losing that would not be a big deal. While I can still see NIS being useful in some corners of the world, I cannot imagine such an environment wanting to enforce password expiration. And if you don't expire passwords, then you don't need PAM to be able to change passwords - running yppasswd should be fine for voluntary password changes. Regards, Gabor