* [OT] LDAP vs NIS+ security
@ 2001-09-10 2:07 Trever L. Adams
2001-09-10 3:40 ` Michael H. Warfield
0 siblings, 1 reply; 3+ messages in thread
From: Trever L. Adams @ 2001-09-10 2:07 UTC (permalink / raw)
To: Linux Kernel
I am sorry to write this off topic message. I should probably go look
in google for the answer... however -
Someone in arguing about implimenting directory services into the kernel
said that NIS+ will always be more secure than LDAP over SSL... why is this?
Trever Adams
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OT] LDAP vs NIS+ security
2001-09-10 2:07 [OT] LDAP vs NIS+ security Trever L. Adams
@ 2001-09-10 3:40 ` Michael H. Warfield
2001-09-10 4:54 ` Michael H. Warfield
0 siblings, 1 reply; 3+ messages in thread
From: Michael H. Warfield @ 2001-09-10 3:40 UTC (permalink / raw)
To: Trever L. Adams; +Cc: Linux Kernel
On Sun, Sep 09, 2001 at 10:07:06PM -0400, Trever L. Adams wrote:
> I am sorry to write this off topic message. I should probably go look
> in google for the answer... however -
> Someone in arguing about implimenting directory services into the kernel
> said that NIS+ will always be more secure than LDAP over SSL... why is this?
FIIK... /;-(
NIS (FKA Sun Yellow Pages) was so insecure it became know as
the "Network Intruder Service". NIS+ was suppose to address most of
the NIS security issues and it did to a large extent, but created
more than a few problems along the way (having had to managed a mixed
Sun OS 4.x and Solaris 2.x environment, I have more than my share of
horror stories).
AFAIK, there is no NIS+ server on Linux. The home page for the
NIS+ utils states it quite plain that there is no Linux server and there
appears to be no prospect of there EVER being and NIS+ server on Linux
(reasons are unstated there, but I have heard comments about closed
protocols and proprietary information and refusals to release critical
information).
Also, AFAIK, while NIS could support nice things like MD5 password
hashes, NIS+ can not. Now, I haven't verified this personally, but that
would seem to be a highly UNACCEPTABLE step backwards if NIS+ can not
support higher grade password hashes and long pass phrases!
Sooo... Why in bloody hell would we want to lock ourselves into
a proprietary system which would force use to depend on servers based on
other systems and force us to use decidedly inferior authentication
standards? That certainly doesn't sound "more secure" to me.
Then too, what grade cryptography is NIS+ using? I know it
uses Public Key crypto in setting server credentials, but I don't know
if it uses DES or 3-DES in the secure RPC channels. At one time it was
DES. If it's still single DES, that sucks and is decidedly insecure.
SSL gives use 128K symetrical encryption. That should be a minimum.
If they claim that NIS+ will always be more secure than LDAP
over SSL (and I really DON'T know either way) then have them specify
the exact justifications for that claim. Also have them justify
why we should accept a closed standard which we can not participate
in as a server. Also have them justify why we should place ourselves
in a subordinant position, dependent on a closed source server for
our authentication services. Also have them justify, why we should
accept degraded security in the authentication systems by being forced
to accept the old style DES hashes and 8 character limits on passwords.
I just don't see where NIS+ can be justified as even being
qualified for the discussion.
But then again... Maybe times have changed and all these concerns
are just out of date. If so, then were is my Linux based NIS+ server?
I would like to have a copy of that. Then to, maybe the horse will learn
to sing (r.e. ancient Chinese fairy tale).
> Trever Adams
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OT] LDAP vs NIS+ security
2001-09-10 3:40 ` Michael H. Warfield
@ 2001-09-10 4:54 ` Michael H. Warfield
0 siblings, 0 replies; 3+ messages in thread
From: Michael H. Warfield @ 2001-09-10 4:54 UTC (permalink / raw)
To: Trever L. Adams, Linux Kernel
On Sun, Sep 09, 2001 at 11:40:39PM -0400, Michael H. Warfield wrote:
> On Sun, Sep 09, 2001 at 10:07:06PM -0400, Trever L. Adams wrote:
> > I am sorry to write this off topic message. I should probably go look
> > in google for the answer... however -
> > Someone in arguing about implimenting directory services into the kernel
> > said that NIS+ will always be more secure than LDAP over SSL... why is this?
> FIIK... /;-(
> NIS (FKA Sun Yellow Pages) was so insecure it became know as
> the "Network Intruder Service". NIS+ was suppose to address most of
> the NIS security issues and it did to a large extent, but created
> more than a few problems along the way (having had to managed a mixed
> Sun OS 4.x and Solaris 2.x environment, I have more than my share of
> horror stories).
Oh! Almost forgot the best one of all (and more related to
the directory service issue than problems with the password map).
If you combine YP/NIS/NIS+ with something like the finger
service and you have a large enough user identification base, you
create this niffty DoS attack that I called "nisnuke" at the time
I published the security advisory years ago.
Basically, if you have a sufficiently large user database and
I can get to enough finger servers, I can time finger requests into an
NIS* network in a way that crushes the INTERNAL bandwidth destructively.
With an experimental setup of only 10 finger servers and 1,000 users
in the NIS maps I was able to uses a 30 second blast from perl script to
cripple the test network for over 30 minutes. While most Linux systems
recovered quickly, Solaris boxes took minutes to recover (most Solaris
boxes had the screen savers freeze during the resulting NIS "storm") and
some AIX boxes had to be power cycled. Most boxes would not even toggle
the "caps lock" light on the keyboard during the meltdown period.
Note that the storm of NIS traffic cripples the internal bandwidth
between the finger servers and the NIS[+] servers. This takes out everyone
on that network, not just the NIS and finger servers. The conditions
create a situation where RPC retries and failures (due to collisions)
actually exceed the input to the cable you are generating from the
finger traffic. It's a queueing theory meltdown where the input to
the queue is higher than it's capacity.
Sun worked for months trying to solve the problem and the best they
could come up with was to either "disable finger" or "install and open
source version of the finger service which did not do wild card expansion
on the databases".
This was all documented in an Internet Security Systems Advisory
which I authored several years ago. AFAIK, if you put an NIS or NIS+
network together with a large enough user base and a few finger servers,
I can cripple it with NIS traffic and tear it to it's knees and keep
it there. And all finger is doing is "directory lookups" on users. :-/
See BugTraq or ISS Alert archives for more information.
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2001-09-10 4:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-09-10 2:07 [OT] LDAP vs NIS+ security Trever L. Adams
2001-09-10 3:40 ` Michael H. Warfield
2001-09-10 4:54 ` Michael H. Warfield
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).