48.2.3.2. Use a Password-like NIS Domain Name and Hostname
Any machine within an NIS domain can use commands to extract information from the server without authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
For instance, if someone either connects a laptop computer into the network or breaks into the network from outside (and manages to spoof an internal IP address), the following command reveals the
/etc/passwd
map:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd
If this attacker is a root user, they can obtain the
/etc/shadow
file by typing the following command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow
Note
If Kerberos is used, the
/etc/shadow
file is not stored within an NIS map.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as
o7hfawtgmhwg.domain.com
. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.