How secure are NIS and NFS?
NFS and NIS have bad reputations for security. NFS earned its reputation because of its default RPC security flavor AUTH_SYS (see "RPC security" later in this chapter) is very weak. There are better security flavors available for NFS on Solaris and other systems. However, the better security flavors are not available for all, or even most NFS implementations, resulting in a practical dilemma for you. The stronger the NFS security you insist on, the more homogenous your computing environment will become. Assuming that secure file access across the network is a requirement, another option to consider is to not run NFS and switch to another file access system. Today there are but two practical choices:
- SMB (also known as CIFS)
- This limits your desktop environment to Windows. However, as discussed in "NFS versus SMB (CIFS)", if you want strong security, you'll have to have systems capable of it, which means running Windows clients and servers throughout.
- DCE/DFS
- At the time this tutorial was written, DCE/DFS was available as an add-on product developed by IBM's Pittsburgh Laboratory (also known as Transarc) unit for Solaris, IBM's AIX, and Windows. Other vendors offer DCE/DFS for their own operating systems (for example, HP offers DCE/DFS). So DCE/DFS offers the file access solution that is both heterogeneous and very secure.
NIS has earned its reputation because it has no authentication at all. The risk of this is that a successful attacker could provide a bogus NIS map to your users by having a host he controls masquerade as an NIS server. So the attacker could use a bogus host map to redirect the user to a host he controls (of course DNS has the same issue).[19] Even more insidious, the attacker could gain root access when logging into a system, simply by providing a bogus passwd map. Another risk is that the encrypted password field from the passwd map in NIS is available to everyone, thus permitting attackers to perform faster password guessing than if they manually tried passwords via login attempts.
[19]An enhancement to DNS, DNSSEC has been standardized but it is not widely deployed.
These issues are corrected by NIS+. If you are uncomfortable with NIS security then you ought to consider NIS+. In addition to Solaris, NIS+ is supported by AIX and HP/UX, and a client implementation is available for Linux. By default NIS+ uses the RPC/dh security discussed in "AUTH_DH: Diffie-Hellman authentication". As discussed in "How secure is RPC/DH?", RPC/dh security is not state of the art. Solaris offers an enhanced Diffie-Hellman security for NIS+, but so far, other systems have not added it to their NIS+ implementations. Ultimately, the future of directory services is LDAP, but at the time this tutorial was written, the common security story for LDAP on Solaris, AIX, HP/UX, and Linux was not as strong as that of NIS+. You can get very secure LDAP out of Windows, but then your clients and servers will be limited to running Windows.