From owner-doc-jp@jp.freebsd.org  Sun Feb 13 04:08:30 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id EAA77405;
	Sun, 13 Feb 2000 04:08:30 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id EAA77400
	for <doc-jp@jp.freebsd.org>; Sun, 13 Feb 2000 04:08:29 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id EAA21040 for <doc-jp@jp.freebsd.org>; Sun, 13 Feb 2000 04:08:29 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp41.ed.noda.sut.ac.jp [133.31.173.51]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id EAA06505 for <doc-jp@jp.freebsd.org>; Sun, 13 Feb 2000 04:08:27 +0900 (JST)
Message-Id: <200002121908.EAA06505@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id DAA06743
	for <doc-jp@jp.freebsd.org>; Sun, 13 Feb 2000 03:34:33 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 13 Feb 2000 03:34:32 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 142
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 7028
Subject: [doc-jp 7028] books/handbook/advanced-networking/chapter.sgml #5
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $B:G8e$G$9!#J,NLB?$a$G$9$,!"(B
 <programlisting> $B$J$I!"Nc<(ItJ,$NK]Lu$OI,MW$"$j$^$;$s!#(B

(books/handbook/advanced-networking/chapter.sgml 1.17 -> 1.18 #5)

+
+    <sect2>
+      <title>NIS Security</title>
+
+      <para>In general, any remote user can issue an RPC to ypserv and
+	retrieve the contents of your NIS maps, provided the remote user
+	knows your domainname.  To prevent such unauthorized transactions,
+	ypserv supports a feature called securenets which can be used to
+	restrict access to a given set of hosts.  At startup, ypserv will
+	attempt to load the securenets information from a file called
+	<filename>/var/yp/securenets</filename>.</para>
+	
+      <note>
+	<para>This path varies depending on the path specified with the
+	  <option>-p</option> option.  This file contains entries that
+	  consist of a network specification and a network mask separated
+	  by white space.  Lines starting with &ldquo;#&rdquo; are
+	  considered to be comments.  A sample securenets file might look
+	  like this:</para>
+      </note>
+
+      <programlisting>
+# allow connections from local host -- mandatory
+127.0.0.1     255.255.255.255
+# allow connections from any host
+# on the 192.168.128.0 network
+192.168.128.0 255.255.255.0
+# allow connections from any host
+# between 10.0.0.0 to 10.0.15.255
+10.0.0.0      255.255.240.0</programlisting>
+
+      <para>If ypserv receives a request from an address that matches one
+	of these rules, it will process the request normally.  If the
+	address fails to match a rule, the request will be ignored and a
+	warning message will be logged.  If the
+	<filename>/var/yp/securenets</filename> file does not exist,
+	ypserv will allow connections from any host.</para>
+
+      <para>The ypserv program also has support for Wietse Venema's
+	<application>tcpwrapper</application> package.  This allows the
+	administrator to use the tcpwrapper configuration files for access
+	control instead of <filename>/var/yp/securenets</filename>.</para>
+
+      <note>
+	<para>While both of these access control mechanisms provide some
+	  security, they, like the privileged port test, are both
+	  vulnerable to &ldquo;IP spoofing&rdquo; attacks.</para>
+      </note>
+    </sect2>
+
+    <sect2>
+      <title>NIS v1 compatibility</title>
+
+      <para> FreeBSD's <application>ypserv</application> has some support
+	for serving NIS v1 clients.  FreeBSD's NIS implementation only
+	uses the NIS v2 protocol, however other implementations include
+	support for the v1 protocol for backwards compatibility with older
+	systems.  The <application>ypbind</application> daemons supplied
+	with these systems will try to establish a binding to an NIS v1
+	server even though they may never actually need it (and they may
+	persist in broadcasting in search of one even after they receive a
+	response from a v2 server).  Note that while support for normal
+	client calls is provided, this version of ypserv does not handle
+	v1 map transfer requests; consequently, it can not be used as a
+	master or slave in conjunction with older NIS servers that only
+	support the v1 protocol.  Fortunately, there probably are not any
+	such servers still in use today.</para>
+    </sect2>
+
+    <sect2>
+      <title>NIS servers that are also NIS clients</title>
+
+      <para> Care must be taken when running ypserv in a multi-server
+	domain where the server machines are also NIS clients.  It is
+	generally a good idea to force the servers to bind to themselves
+	rather than allowing them to broadcast bind requests and possibly
+	become bound to each other.  Strange failure modes can result if
+	one server goes down and others are dependent upon on it.
+	Eventually all the clients will time out and attempt to bind to
+	other servers, but the delay involved can be considerable and the
+	failure mode is still present since the servers might bind to each
+	other all over again.</para>
+
+      <para>You can force a host to bind to a particular server by running
+	<command>ypbind</command> with the <option>-S</option>
+	flag.</para>
+    </sect2>
+
+    <sect2>
+      <title>libscrypt vs. libdescrypt</title>
+
+      <para>One of the most common issues that people run into when trying
+	to implement NIS is crypt library compatibility.  If your NIS
+	server is using the DES crypt libraries, it will only support
+	clients that are using DES as well. To check which one your server
+	and clients are using look at the symlinks in
+	<filename>/usr/lib</filename>.  If the machine is configured to
+	use the DES libraries, it will look something like this:</para>
+
+      <screen>
+&prompt.user; <userinput>ls -l /usr/lib/*crypt*</userinput>
+lrwxrwxrwx  1 root  wheel     13 Jul 15 08:55 /usr/lib/libcrypt.a@ -> libdescrypt.a
+lrwxrwxrwx  1 root  wheel     14 Jul 15 08:55 /usr/lib/libcrypt.so@ -> libdescrypt.so
+lrwxrwxrwx  1 root  wheel     16 Jul 15 08:55 /usr/lib/libcrypt.so.2@ -> libdescrypt.so.2
+lrwxrwxrwx  1 root  wheel     15 Jul 15 08:55 /usr/lib/libcrypt_p.a@ -> libdescrypt_p.a
+-r--r--r--  1 root  wheel  13018 Nov  8 14:27 /usr/lib/libdescrypt.a
+lrwxr-xr-x  1 root  wheel     16 Nov  8 14:27 /usr/lib/libdescrypt.so@ -> libdescrypt.so.2
+-r--r--r--  1 root  wheel  12965 Nov  8 14:27 /usr/lib/libdescrypt.so.2
+-r--r--r--  1 root  wheel  14750 Nov  8 14:27 /usr/lib/libdescrypt_p.a</screen>
+
+      <para>If the machine is configured to use the standard FreeBSD MD5
+	crypt libraries they will look somethine like this:</para>
+
+      <screen>
+&prompt.user; <userinput>ls -l /usr/lib/*crypt*</userinput>
+lrwxrwxrwx  1 root  wheel     13 Jul 15 08:55 /usr/lib/libcrypt.a@ -> libscrypt.a
+lrwxrwxrwx  1 root  wheel     14 Jul 15 08:55 /usr/lib/libcrypt.so@ -> libscrypt.so
+lrwxrwxrwx  1 root  wheel     16 Jul 15 08:55 /usr/lib/libcrypt.so.2@ -> libscrypt.so.2
+lrwxrwxrwx  1 root  wheel     15 Jul 15 08:55 /usr/lib/libcrypt_p.a@ -> libscrypt_p.a
+-r--r--r--  1 root  wheel   6194 Nov  8 14:27 /usr/lib/libscrypt.a
+lrwxr-xr-x  1 root  wheel     14 Nov  8 14:27 /usr/lib/libscrypt.so@ -> libscrypt.so.2
+-r--r--r--  1 root  wheel   7579 Nov  8 14:27 /usr/lib/libscrypt.so.2
+-r--r--r--  1 root  wheel   6684 Nov  8 14:27 /usr/lib/libscrypt_p.a</screen>
+	
+      <para>If you have trouble authenticating on an NIS client, this is a
+	pretty good place to start looking for possible problems.</para>
+    </sect2>
+  </sect1>
 </chapter>

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)
