Transcript Document

Security of NIS (YP)
Gary Lam
[email protected]
1
Security of N I S
NIS Overview
NIS benefits and Goals
Possible attacks
Possible solutions
Conclusion
2
NIS overview
What is NIS ?
A software package originated from SUN
It operates in a distributed environment
It has its own domain(s)
It has master servers and client hosts
It has unique maps as its database files
Assume the connected systems are trusted
3
A typical scenario
User logs in to a machine(Client) on the
network
Client A
Client B
Client C
Server
Username:bob
Password:
Network providing NIS services
4
NIS Domain(s)
Machines share the same NIS maps are
logically grouped together
Each domain needs a master server
Can have slave servers that act as
backup
Client hosts must be in the domain to
use NIS services
5
NIS main components
Mater server, slave servers
ypserv, rpc.passwdd, ypbind
Client hosts
ypbind
NIS maps
NIS database is comprised of a group of
files known as maps
6
NIS maps
Maps are in the dbm format(database management)
Maps are composed of keys and values
Key: a field in the map client must specify whenever it
queries the map
Values: attributes of the key returned from the query
For example: /etc/hosts
Key
Value
moose
123.123.123.100
Generates the “hosts.byname” & “hosts.byaddr” map
KEY
name
KEY
address
Hosts
map
7
NIS netgroup
Netgroups are used to name sets of
users and machines for easy reference
Format of a netgroup entry is:
Groupname list-of-members
Bobcat
(hostname, username, domainname)
For example:
/etc/netgroup file contains:
Bobcats (gopher,,)
8
How does it work?
A client – Server model
A NIS client requires “ypbind” to request data from
an NIS server database.
ypbind remembers which server and its port for binding
A NIS server “ypserv” provides data from the NIS
database to the requesting client.
9
The big picture
ypbind
ypbind
ypserv
c
s
ypbind
ypserv
rpc.passwdd
Slave Server
M
c
c
Master Server
ypbind
ypbind
10
NIS Operation
Application
portmap
ypserv
ypbind
C Library
C Library
NIS Maps
11
NIS benefits & Goals
Users
One password goes any where!!
Use the global UID and GID
System administrators
Ease of network administration
Never bother with individual file on
machines
Save time !!!
12
Why is NIS not secure?
Its connection is wide open
No protection between the client/server connection
Mounting an attack is easy
The domain concept is flawed
Could mount a dictionary attack
It is based on trust in a distributed environment
Allow intrusion unintentionally
None or insufficient authentication
Leads to Spoofing the server
13
Trusting relationship…?
Part 1: Trusted Hosts
Host level equivalence
/etc/hosts.equiv file
Contains a list of hostnames
Can log in to any hosts in the domain
without password
Gopher
Gopher
No password checking
Falcon
Badger
Raven
14
Trusting Relationship…?
Part 2: Trusted account
Account level equivalence
$HOME/.rhosts file
File contains a list of hostname and usernames
Format: hostname [username, username,..]
.rhosts file
Gopher
No password checking
Gopher
Tom
Badger
Drew
Raven
Brad
Falcon
15
Implication of trust
Trust relationships are transitive
If B trusts A and C trusts B then A trusts C
If A is compromised, then B and C is also
compromised!
A
B
C
A
B
16
Using the Domain
Hosts are authenticated by the Domain
Attack can be done by guessing the NIS
domain name
Scenario: An user can obtain the password map
file.
e.g. use the “ypcat” command
17
Dictionary Attack
Given a thousand people each to choose
their own password, the odds are excellent
that at least one person will choose a
password in the attacker’s dictionary.
Attacker can crack your password offline.
Password of six characters or less could be
cracked in 2 days or less
18
Spoofing attack
3 little steps!!
Scenario: Moose(server), gopher(hosts), and
Hacky(intruder).
Gopher
Hacky
Moose
1.
2.
3.
Take Moose out of the network
Guess gopher’s IP sequence number
Pretend to be Moose
19
Spoofing (cont.)
Take moose out
Attacker(hacky) can forge a series of
connection requests to moose using an
improper protocol
A connection request packet with nonexistent return address
Server is busy handling those bogus
connection requests from hacky
Server’s queue filled up and no longer can
handle requests from other hosts
20
Spoofing (cont.)
Guess gopher’s IP sequence number
Attacker can then guess IP sequence number
Sounds difficult in reality but it is NOT
Because many implementations use a well
defined algorithm to generate initial
sequence number
Can make an educated guess!!
21
Spoofing (cont.)
Hacky
Moose
Gopher
Respond
Attack packet
Fake packet
Internal network
22
Denial of Service Attack
Bring down the NIS network service
Use the finger service
e.g. finger [email protected]
client send its NIS request to find “bob”
Over load NIS server with NIS requests
The NIS server searches the map to find bob.
NIS “finger” traffic eventually congests the network
Other NIS services are disrupted.(e.g. password lookup)
23
Possible Solutions
Against login equivalence
Do not use the login equivalence
If you have to use it, then:
Use full qualified host name(no “moose”)
Use: moose.cs.umn.edu
Ask for password no matter who is requesting the
connection
Limited to specific , trusted hosts
Never be granted to hosts outside of Sys.Admin control
Restrict equivalence to host-based which can be
placed directly under the administrator’s control
24
Possible Solution (cont.)
Against Dictionary attack
Do not choose password from a dictionary!
Disable or block ypcat command
Have good password selection strategies
Perform password checking
Proactive checker
Reactive checker
25
Possible Solution (cont.)
Against spoofing
Use encrypted IP Sequence number
Packet filtering firewall that checks “from”
field
Session encryption
26
Possible Solution (cont.)
Against Denial-of-Service attack
Disable finger service on any NIS based system
Restrict service to the minimum number of hosts
or to host that do not participate in NIS.
27
Conclusion
NIS is great but at the cost of security
Try a different approach for distributing
files
Do not use it if possible!!
28
Thank you!
29
yppasswd data structure
Struct yppasswd{
Char* oldpass; /* unencrypted passwd */
struct passwd newpasswd;
};
30
NIS vs. NIS+
NIS
NIS+
Machine name and user’s
name can be the same
Machine name and user’s
name must be unique
Domains are flat—no
hierarchy
Domains are hierarchical
Names and commands are
case sensitive
Names and commands are
not case sensitive
Data is stored in 2-columns
maps
Data is stored in multicolumns tables
Uses no authentication
Uses DES authentication
Updates of maps are
delayed for batch
propagation
Updates are propagated
immediately
31