2.2 NIS

Network information service (NIS) is server-client based mechanism to unify the management of accounts of a group of networked computers. In a group (called a domain) of computers, one or more computers serve as servers, while the rest act as clients. Each server maintains a clone of the domain-wide database about usernames, UIDs, GIDs and other important information for authentication. A client runs a daemon to synchronize its /etc/passwd, /etc/shadow and /etc/group with that of a server.

While the original NIS is not secure, NIS+ addresses some of the security weaknesses. Nonetheless, some security concerns are deep rooted in the “synchronization” method:

• Transmission of passwords over the network. The entire password database is transmitted on a network. Although NIS+ supports encryption, the encryption method is relatively weak because it relies on a single constant encryption key.
• Storage of passwords on a standalone machine. While this feature permits a standalone machine function without network connectivity, it exposes a lot of sensitive information should a standalone machine be compromised.
• Difficult to firewall. NIS/NIS+ uses random higher port numbers in addition to port 111. This makes it difficult to configure a firewall to “lock in” NIS/NIS+ traffic.