1 Security of NIS (YP) Gary Lam

2 Security of N I S NIS Overview NIS benefits and Goals Possible attacks Possible solutions Conclusion

3 NIS overview What is NIS ? A software package originated from SUN It operates in a distributed environment It has its own domain(s) It has master servers and client hosts It has unique maps as its database files Assume the connected systems are trusted

4 A typical scenario User logs in to a machine(Client) on the network Username: Password: bob ServerClient CClient BClient A Network providing NIS services

5 NIS Domain(s) Machines share the same NIS maps are logically grouped together Each domain needs a master server Can have slave servers that act as backup Client hosts must be in the domain to use NIS services

6 NIS main components Mater server, slave servers ypserv, rpc.passwdd, ypbind Client hosts ypbind NIS maps NIS database is comprised of a group of files known as maps

7 NIS maps Maps are in the dbm format( database management ) Maps are composed of keys and values Key: a field in the map client must specify whenever it queries the map Values: attributes of the key returned from the query For example: /etc/hosts Key Value moose Generates the “hosts.byname” & “hosts.byaddr” map Hosts map KEY name address

8 NIS netgroup Netgroups are used to name sets of users and machines for easy reference Format of a netgroup entry is: Groupname list-of-members Bobcat (hostname, username, domainname) For example: /etc/netgroup file contains: Bobcats (gopher,,)

9 How does it work? A client – Server model A NIS client requires “ypbind” to request data from an NIS server database. ypbind remembers which server and its port for binding A NIS server “ypserv” provides data from the NIS database to the requesting client.

10 The big picture M s ypbind ypserv rpc.passwdd ypbind c c c ypserv Master Server Slave Server ypbind

11 NIS Operation Application C Library ypserv ypbind portmap NIS Maps

12 NIS benefits & Goals Users One password goes any where!! Use the global UID and GID System administrators Ease of network administration Never bother with individual file on machines Save time !!!

13 Why is NIS not secure? Its connection is wide open No protection between the client/server connection Mounting an attack is easy The domain concept is flawed Could mount a dictionary attack It is based on trust in a distributed environment Allow intrusion unintentionally None or insufficient authentication Leads to Spoofing the server

14 Trusting relationship…? Host level equivalence /etc/hosts.equiv file Contains a list of hostnames Can log in to any hosts in the domain without password Part 1: Trusted Hosts Gopher Badger Raven Falcon Gopher No password checking

15 Account level equivalence $HOME/.rhosts file File contains a list of hostname and usernames Format: hostname [username, username,..] Part 2: Trusted account Trusting Relationship…?.rhosts file Gopher Tom Badger Drew Raven Brad Falcon Gopher No password checking

16 Implication of trust Trust relationships are transitive If B trusts A and C trusts B then A trusts C If A is compromised, then B and C is also compromised! ABC A B

17 Using the Domain Hosts are authenticated by the Domain Attack can be done by guessing the NIS domain name Scenario: An user can obtain the password map file. e.g. use the “ypcat” command

18 Dictionary Attack Given a thousand people each to choose their own password, the odds are excellent that at least one person will choose a password in the attacker’s dictionary. Attacker can crack your password offline. Password of six characters or less could be cracked in 2 days or less

19 Spoofing attack 3 little steps !! Scenario: Moose(server), gopher(hosts), and Hacky(intruder). 1. Take Moose out of the network 2. Guess gopher’s IP sequence number 3. Pretend to be Moose HackyMoose Gopher

20 Spoofing (cont.) Attacker(hacky) can forge a series of connection requests to moose using an improper protocol A connection request packet with non- existent return address Server is busy handling those bogus connection requests from hacky Server’s queue filled up and no longer can handle requests from other hosts Take moose out

21 Spoofing (cont.) Attacker can then guess IP sequence number Sounds difficult in reality but it is NOT Because many implementations use a well defined algorithm to generate initial sequence number Can make an educated guess!! Guess gopher’s IP sequence number

22 Spoofing (cont.) Hacky Moose Gopher Attack packet Fake packet Internal network Respond

23 Denial of Service Attack Bring down the NIS network service Use the finger service e.g. finger client send its NIS request to find “bob” Over load NIS server with NIS requests The NIS server searches the map to find bob. NIS “finger” traffic eventually congests the network Other NIS services are disrupted.(e.g. password lookup)

24 Possible Solutions Against login equivalence Do not use the login equivalence If you have to use it, then: Use full qualified host name(no “moose”) Use: moose.cs.umn.edu Ask for password no matter who is requesting the connection Limited to specific, trusted hosts Never be granted to hosts outside of Sys.Admin control Restrict equivalence to host-based which can be placed directly under the administrator’s control

25 Possible Solution (cont.) Against Dictionary attack Do not choose password from a dictionary! Disable or block ypcat command Have good password selection strategies Perform password checking Proactive checker Reactive checker

26 Possible Solution (cont.) Against spoofing Use encrypted IP Sequence number Packet filtering firewall that checks “from” field Session encryption

27 Possible Solution (cont.) Against Denial-of-Service attack Disable finger service on any NIS based system Restrict service to the minimum number of hosts or to host that do not participate in NIS.

28 Conclusion NIS is great but at the cost of security Try a different approach for distributing files Do not use it if possible!!

29 Thank you!

30 yppasswd data structure Struct yppasswd{ Char* oldpass; /* unencrypted passwd */ struct passwd newpasswd; };

31 NIS vs. NIS+ NISNIS+ Machine name and user’s name can be the same Machine name and user’s name must be unique Domains are flat—no hierarchy Domains are hierarchical Names and commands are case sensitive Names and commands are not case sensitive Data is stored in 2-columns maps Data is stored in multi- columns tables Uses no authenticationUses DES authentication Updates of maps are delayed for batch propagation Updates are propagated immediately