FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-17-2009, 06:37 PM
"Jason Pyeron"
 
Default NIS failover

We just updated our configuratiosn to have multiple NIS servers, when we
initiated a test of client failover, we were disapointed.

It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.

It behaves as indicated in
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using
ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1 SMP
Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux

http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192


Any advice?

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 06:44 PM
 
Default NIS failover

> We just updated our configuratiosn to have multiple NIS servers, when we
> initiated a test of client failover, we were disapointed.
>
> It seemed that the only way to get a filaover was to /etc/init.d/ypbind
> restart.
>
> It behaves as indicated in
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using
> ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx 2.6.9-55.0.12.ELsmp #1
> SMP
> Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>
> Any advice?

Not one you want to hear: ditch NIS. It's known to have a *lot* of
security holes. At the very least, NIS+. Better would be either RH
directory server (which I've never worked with), or openLDAP (which is,
IMO, NOT ready for prime time, but is built for security.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 06:50 PM
"John R. Dennison"
 
Default NIS failover

On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
>
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

Out of curiousity, can you point me to writeups of known working
exploits against current yp-family versions on CentOS?

NIS+ is not, the last time I checked, available for Linux; if
my understanding is in error I would very much welcome
correction.




John

--
We cannot do everything at once, but we can do something at once.

-- Calvin Coolidge (1872-1933), 30th president of the United States
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 06:54 PM
Ray Van Dolson
 
Default NIS failover

On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
> On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
> >
> > Not one you want to hear: ditch NIS. It's known to have a *lot* of
> > security holes. At the very least, NIS+. Better would be either RH
>
> Out of curiousity, can you point me to writeups of known working
> exploits against current yp-family versions on CentOS?
>
> NIS+ is not, the last time I checked, available for Linux; if
> my understanding is in error I would very much welcome
> correction.

I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well.
The authors noted the irony in NIS outliving that which was meant to
replace it.

Main weakness of NIS is that it's pretty easy to just sniff out
potentially valuable information over the wire. But if you're on a
secure / internal network and have legacy clients to support often
times the reality is you'll need to use NIS.

At work, we still rely on NIS, but hope to integrate with AD at some
point -- however, we'll undoubtedly need some sort of NIS shim that can
talk to the LDAP backend to provide functionality to older, legacy Unix
clients...

Ray
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 06:58 PM
Stephen Harris
 
Default NIS failover

On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the
Solaris training courses barely mentioned NIS and had 2 or 3 chapters on
NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+
at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+.

> directory server (which I've never worked with), or openLDAP (which is,
> IMO, NOT ready for prime time, but is built for security.

The problem with LDAP is that it's a lot slower than NIS, and nscd
is essential in order to get even minimally adequate performance.
Unfortunately. I say "unfortunately" because in many respects LDAP is
superior to NIS (especially with respect to security). Just not needing
crypt strings is a big win. I use it at work, but very carefully :-)

NIS is insecure, but it has a massive advantage of being fast and
(normally) "just works". Evaluate the security in your environment and
determine if the risk is acceptable.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 07:06 PM
Stephen Harris
 
Default NIS failover

On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
> Out of curiousity, can you point me to writeups of known working
> exploits against current yp-family versions on CentOS?

The problem isn't an exploit of the specific tools; the whole mechanism
is insecure, unless you use secureRPC everywhere.

For example, there's no verification that the server you are bound to
is, indeed, a valid server for the network and not a rogue sending out
bad data. (Opens you to many MITM attacks).

Exposure of passwords? Well, the crypt string, anyway. If you're not
using md5 password encryption everywhere then you've opened yourself to
simple brute-force attacks on your network.

No validation that client machines are authorized to see the data (I
plug a machine into your network and can grab all the data from NIS,
to hack against in my own time... and forget about the pseudo 'shadow'
map in that case!)

And so on.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 07:22 PM
"Jason Pyeron"
 
Default NIS failover

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron
> Sent: Thursday, December 17, 2009 14:37
> To: 'CentOS mailing list'
> Subject: [CentOS] NIS failover
>
> We just updated our configuratiosn to have multiple NIS
> servers, when we initiated a test of client failover, we were
> disapointed.
>
> It seemed that the only way to get a filaover was to
> /etc/init.d/ypbind restart.
>
> It behaves as indicated in
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
4845 using
> ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx
> 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64
> x86_64 x86_64 GNU/Linux
>
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>
>
> Any advice?

So, avoiding the security flamewars...

It seems that it behaves slightly different than I indicated before.

Snippet of the strace for # ypcat passwd
...
mprotect(0x2a9566a000, 4096, PROT_READ) = 0
arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0
munmap(0x2a9556c000, 33321) = 0
brk(0) = 0x503000
brk(0x524000) = 0x524000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0
mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000
close(3) = 0
uname({sys="Linux", node="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ...}) = 0
open("/var/yp/nicknames", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x2a98807000
read(3, "passwd passwd.byname
group gro"..., 4096) = 185
read(3, "", 4096) = 0
close(3) = 0
munmap(0x2a98807000, 4096) = 0
open("/var/yp/binding/XXXXXXXXXXXXXXXXXXX.2", O_RDONLY) = 3
pread(3, "13002501"2315", 12, 2) = 12
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
getpid() = 13062
bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr("0.0.0.0")},
16) = 0
ioctl(4, FIONBIO, [1]) = 0
setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
close(3) = 0
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr("0.0.0.0")},
16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.1.34")}, 16 <unfinished ...>

Then when I ^C it and run again it has failed over, but otherwise it hangs there
for more than 300 seconds.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 07:51 PM
Clint Dilks
 
Default NIS failover

Jason Pyeron wrote:
>
>
>
>> -----Original Message-----
>> From: centos-bounces@centos.org
>> [mailto:centos-bounces@centos.org] On Behalf Of Jason Pyeron
>> Sent: Thursday, December 17, 2009 14:37
>> To: 'CentOS mailing list'
>> Subject: [CentOS] NIS failover
>>
>> We just updated our configuratiosn to have multiple NIS
>> servers, when we initiated a test of client failover, we were
>> disapointed.
>>
>> It seemed that the only way to get a filaover was to
>> /etc/init.d/ypbind restart.
>>
>> It behaves as indicated in
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
>>
> 4845 using
>
>> ypbind-1.17.2-13 on Centos 4.5 / Linux xxxxxxxxxxxx
>> 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64
>> x86_64 x86_64 GNU/Linux
>>
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>>
>>
>> Any advice?
>>
>
> So, avoiding the security flamewars...
>
> It seems that it behaves slightly different than I indicated before.
>
> Snippet of the strace for # ypcat passwd
> ...
> mprotect(0x2a9566a000, 4096, PROT_READ) = 0
> arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0
> munmap(0x2a9556c000, 33321) = 0
> brk(0) = 0x503000
> brk(0x524000) = 0x524000
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0
> mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000
> close(3) = 0
> uname({sys="Linux", node="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", ...}) = 0
> open("/var/yp/nicknames", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x2a98807000
> read(3, "passwd passwd.byname
group gro"..., 4096) = 185
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x2a98807000, 4096) = 0
> open("/var/yp/binding/XXXXXXXXXXXXXXXXXXX.2", O_RDONLY) = 3
> pread(3, "13002501"2315", 12, 2) = 12
> socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
> getpid() = 13062
> bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> ioctl(4, FIONBIO, [1]) = 0
> setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0
> fcntl(4, F_SETFD, FD_CLOEXEC) = 0
> close(3) = 0
> close(4) = 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
> bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(111),
> sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out)
> close(3) = 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
> bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(111),
> sin_addr=inet_addr("192.168.1.34")}, 16 <unfinished ...>
>
> Then when I ^C it and run again it has failed over, but otherwise it hangs there
> for more than 300 seconds.
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> - -
> - Jason Pyeron PD Inc. http://www.pdinc.us -
> - Principal Consultant 10 West 24th Street #100 -
> - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
> - -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
How is your /etc/yp.conf defined. NIS failover works flawlessly here if
we have /etc/yp.conf like
ypserver nis2
ypserver nis

But have had problems if we use broadcast.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 07:53 PM
James Pearson
 
Default NIS failover

Jason Pyeron wrote:
> We just updated our configuratiosn to have multiple NIS servers, when we
> initiated a test of client failover, we were disapointed.
>
> It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.

We've been using NIS like this for years - failover works just fine. In
fact that is one of things I like about NIS, failover is built in and
works with virtually no extra set up ...

What do you have in your /etc/yp.conf ?

James Pearson
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-17-2009, 07:53 PM
Stephen Harris
 
Default NIS failover

On Fri, Dec 18, 2009 at 09:51:24AM +1300, Clint Dilks wrote:
> How is your /etc/yp.conf defined. NIS failover works flawlessly here if
> we have /etc/yp.conf like
> ypserver nis2
> ypserver nis

You also need to ensure you can resolve "nis" and "nis2" without using
NIS, so you may also need to them into /etc/hosts and ensure
nsswitch.conf hosts entry begins with "files".

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org