COMMAND

    ypserv(8)

SYSTEMS AFFECTED

    SunOS 3.x, SunOS 4.x, and many other NIS implementations.

PROBLEM

    ypserv  will  gladly  handout  passwd  files  (and  any other map)
    to anyone how can guess your domainname. Sun BugID 1036869.

SOLUTION

    1) Make your YP domainname long and unrelated to your hosts  name.
    Maximum allowed lenght is 64 bytes. This is truly security  though
    obscurity...  2)  If  you  access  the  wider  Internet  though  a
    flexible router (Cisco or similar) switch off access to port  111,
    tcp and  udp. This  significantly increses  the programming effort
    needed  to  exploit  the  problem.  Unfortunately,  ypserv  is not
    allways at  the same  port on  all machines,  so it's difficult to
    switch  off  access  to  ypserv  reliably.  This  will prevent all
    normal  Sun  RPC  calls  going  though  the  bridge.  This may not
    be  what  you  want.  3)  The  official  word from Sun in responce
    to  the  bug  report:  "For  now  we  recommend  taking two steps:
    1)  do  not  run  your  YPServ  on  your  Internet  gateway and 2)
    do  not  do  IP  routing  from  your  Internet gateway to the rest
    of  your  machines.  This  is  the  solution  employed at Sun." Of
    these  workarounds,  3)  is  the  only  completely  reliable  one,
    assuming  the  attack  comes  from  outside,  but  may  not   meet
    most  people's  idea  of  user-frendliness.  2)  and  3)  will not
    protect  you  from  someone  who  was  broken  in  on  a   machine
    'inside'  the  barrier  but  not  in  your  domain, and decides to
    collect  passwd  files  while  there.  1)  combined with 2) and 3)
    may be better.