A.15 Chapter 14: Network-Based Authentication Systems

  • Don't use your Internet domain name as your NIS domain.

  • Use NIS+ instead of NIS, if possible. Don't run NIS+ in compatibility mode.

  • Use netgroups to restrict access to services, including login.

  • Make sure that your version of ypbind listens only on privileged ports.

  • Make sure that there is an asterisk (*) in the password field of any line beginning with a plus sign (+) in both the passwd and group files of any NIS client.

  • Make sure that there is no line beginning with a plus sign (+) in the passwd or group files on any NIS server.

  • If you are using Kerberos, understand its limitations. Protect the Kerberos controller at all costs.

  • If you are using LDAP for authentication, secure connections with TLS/SSL.

    Part VI: Appendixes