Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.unix.aix Frequently Asked Questions (Part 3 of 5)
Section - 1.614: NIS security

( Part1 - Part2 - Part3 - Part4 - Part5 - Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Schools ]


Top Document: comp.unix.aix Frequently Asked Questions (Part 3 of 5)
Previous Document: 1.613: Disabling software flow control; using RTS/CTS.
Next Document: 1.615: Why can't non-anonymous users login using WU-FTP?
See reader questions & answers on this topic! - Help others by sharing your knowledge

SUMMARY: AIX 3.2.4 and above includes support for a more secure setup
of the ypserv NIS daemon.  You can prevent any random host on the
entire Internet from reading your NIS maps, as is possible with the
default AIX setup.
 
The details:
------------
After starting the ypserv daemon, I noticed in the syslog the following line:
Jan 17 12:01:18 zeise syslog: /usr/etc/ypserv: no /var/yp/securenets file 
This indicates that ypserv is looking for the mentioned configuration
file, but did not find it, and hence will deliver the NIS maps to
anyone on the net who can guess the NIS domainname.  I installed the
/var/yp/securenets file and restarted ypserv, and it works !  Any
illegal attempt to read NIS maps will result in the following getting
logged to syslog (example):
Jan 18 13:37:27 zeise syslog: ypserv: access denied for 129.142.6.79 

How to enable this NIS security option:  
Install the /var/yp/securenets file, for example:

# /var/yp/securenets file
#
# The format of this file is one of more lines of
# netmask netaddr
# Both netmask and netaddr must be dotted quads.
#
# Note that for a machine with two Ethernet interfaces (i.e. a gateway
# machine), the IP addresses of both have to be in /var/yp/securenets.
#
# for example:
#255.255.255.0 128.185.124.00
# Loopback interface
255.255.255.255 127.0.0.1

Uncommenting the last line would limit access to hosts on the
128.185.124.*  net, only.  The loopback interface must be included, as
shown above.

To log violations, have a /etc/syslog.conf file containing the proper
events.  We use this line:

*.err;kern.debug;auth.notice;user.none          /var/adm/messages

Caveat emptor:  This works for us, and you will have to verify it at
your own installation.  Don't complain to us if you have troubles.  
I do not know what PTF level our AIX 3.2.4 is at.  Our ypserv daemon 
looks like this:

zeise> strings /usr/lib/netsvc/yp/ypserv | head -2
@(#)16
1.12  com/cmd/usr.etc/yp/ypserv.c, cmdnfs, nfs325, 9334325a 5/4/93 19:44:41

If your AIX doesn't have securenets support, ask your support centre
for the PTF which includes APAR IX32328.  That seems to have included
the securenets support.


User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: comp.unix.aix Frequently Asked Questions (Part 3 of 5)
Previous Document: 1.613: Disabling software flow control; using RTS/CTS.
Next Document: 1.615: Why can't non-anonymous users login using WU-FTP?

Part1 - Part2 - Part3 - Part4 - Part5 - Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
bofh@mail.teleweb.pt (Jose Pina Coelho)





Last Update March 27 2014 @ 02:11 PM