Hitchhiker's Guide to Openbsd
Download 1.27 Mb. Pdf ko'rish
|
obsd-faq49
- Bu sahifa navigatsiya:
- 10.19.2 - YP security considerations
|
10.19 - Directory services
OpenBSD can be used for both servers and clients of databases containing user credentials, group information and other network-related data. 10.19.1 - Which directory services are available? Of course, you could use various directory services on OpenBSD. But YP is the only one that can be accessed directly using standard C-library functions like getpwent(3) , getgrent(3) , gethostbyname(3) and so on. Thus, if you keep your data in a YP database, you do not need to copy it to local configuration files like master.passwd(5) before you can use it, for example to authenticate system users. YP is a directory service compatible with Sun Microsystems NIS (Network Information System). See yp (8) for an overview of the available manual pages. Be careful, some operating systems contain directory services bearing similar names but all the same being incompatible, for example NIS+. To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/ login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter. For some applications, simply synchronizing a small number of configuration files among a group of machines using tools like cron(8) , scp(1) or rsync (available from ports) constitutes an easy and robust alternative to a full-blown directory service. 10.19.2 - YP security considerations For compatibility reasons, all security features built into the OpenBSD implementation of YP are switched off by default. Even when they are all switched on, the NIS protocol is still inherently insecure for two reasons: All data, including sensitive data like password hashes, is transmitted unencrypted across the network, and neither the client nor the server can reliably verify each other's identity. Thus, before setting up any YP server, you should consider whether these inherent security flaws are acceptable in your context. In particular, YP is inadequate if potential attackers have physical access to your network. Anybody gaining root access to any computer connected to your network segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPSec tunnels might be an option, or you might consider combining YP with kerberos(8) authentication. Download 1.27 Mb. Do'stlaringiz bilan baham: 
|