Re: OT: Is it so easy to break into an NIS?
Thanx for the input everybody, I think that from now on I will at least recommend to my clients about using ldap instead. Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Thanx for the input everybody, I think that from now on I will at least recommend to my clients about using ldap instead. Bye -- Haim
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen [EMAIL PROTECTED] writes: Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen [EMAIL PROTECTED] writes: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ (okay, so they also have an experimental afs server, but it's not stable) seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ Nope. Last I heard, Arla was going nowhere, on account of lost mindshare when IBM/Transrc put OpenAFS under the IBM PL. Has that changed? -- Cheers, Not using Microsoft products is like being a non-smoker Rick Moen 40 or 50 years ago: You can choose not to smoke, yourself, [EMAIL PROTECTED] but it's hard to avoid second-hand smoke. -- M. Tiemann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei
Re: OT: Is it so easy to break into an NIS?
Rick Moen [EMAIL PROTECTED] writes: Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Hanasaki JiJi wrote: What is OpenAFS vs CODA? IIRC CODA has the limitation of needing 4% of volume size in RAM. And performance is very bad (IIRC like 150 kbytes/sec max on pentium 400). On a second thought: This was in a fully redundant setup - probably it has better performance in other setups. regards, Thiemo Nagel [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpLZMxSvRXa8.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
OT: Is it so easy to break into an NIS?
Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Tuesday 18 March 2003 04:13 pm, Haim Ashkenazi wrote: Hi Hello, A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? Yes, quite. NIS uses no authentication whatsoever. of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? Not many. The problems you describe above are well-known. any ideas? suggestions? Use LDAP and Kerberos instead of NIS. They are equally or better supported in every situation I know of. - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser
