Some of us are working on securing Apple's (Formerly NeXT's) netinfo to use certificate based authentication, and a permission scheme which prioritizes machine's access to different parts of the data dictionary. The new netinfo stuff from Apple will supposedly be ldap based anyway, so we are examining it to see what the upcoming security model is to see if we need not bother, but either way, we will have secure NetInfo and plan on porting it to OpenBSD. OpenBSD is certainly the platform from which we intend to administer the network, as it is the hardest to crack. One suggestion might be to do just that, administer the NIS domain from OpenBSD, and provide NO access to the NIS info other than read access from any non OpenBSD server. This should mean that breaking the Solaris box shouldn't allow you to break any other box. If you are not exposing services or exporting filesystems with unreasonable levels of trust, you should be okay. Beware .rhosts and hosts.equiv files/data dictionaries. cg -----Original Message----- From: firstname.lastname@example.org [mailto:email@example.com]On Behalf Of alex Sent: Thursday, September 16, 1999 7:32 AM To: firstname.lastname@example.org Subject: secure NIS and NFS like services (was Re: networking) > If there is someting you don't trust, see if you can place it on a box > not so vital to your business. Obvisouly that would be the best solution but it's not always possible. The point of the question was whether or not its possible to get NIS and NFS like services without opening yourself up to that much risk. Let's say we have a single solaris box running everything on our system. It has to be a solaris box for some reason -- one of the services we have to provide will only run on solaris. Some of the services expose us to risk -- shell service, for example, is dangerous. Other services aren't so risky. So we decide that it would be nice if we chould separate off the risky services from the not so risky services on different machines, and tie them together with NIS and NFS. If the box with the risky services on it falls, the not so risky services box would still be safe, hopefully. And remember, one of our risky services has to run on solaris (just to make the problem more interesting). The problem with that is that if someone gets root on one box, NFS exposes us to a "domino effect" -- it puts the other boxes at risk. So we're not getting that much of a win from splitting things off. Are there ways to get NFS and NIS like services that don't expose you to this domino effect? There are solutions out there, but nothing seems to be general. Sun has NIS+, but that doesn't do me any good if I want to run OpenBSD and Solaris together. The Coda file system seems to be a lot safer than NFS, but that isn't supported everywhere either. Even IPsec, which protects the link, but doesn't address problems in underlying protocols, doesn't seem to run on solaris. So what I'd like to know is how experienced openbsd security gurus solve these problems, if they solve them at all. Is it possible to secure NFS, at least on the openbsd side? Do they use AFS? Is AFS an expensive solution? And what, if anything, exists for the NIS side of the problem?