Hubbry Logo
Network Information ServiceNetwork Information ServiceMain
Open search
Network Information Service
Community hub
Network Information Service
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Network Information Service
Network Information Service
Network Information Service
View on Wikipedia
from Wikipedia

The Network Information Service, or NIS (originally called Yellow Pages or YP), is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

Because British Telecom PLC owned the name "Yellow Pages" as a registered trademark in the United Kingdom for its paper-based, commercial telephone directory, Sun changed the name of its system to NIS, though all the commands and functions still start with "yp".[1]

A NIS/YP system maintains and distributes a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network. For example, in a common UNIX environment, the list of users for identification is placed in /etc/passwd and secret authentication hashes in /etc/shadow. NIS adds another "global" user list which is used for identifying users on any client of the NIS domain.

Administrators have the ability to configure NIS to serve password data to outside processes to authenticate users using various versions of the Unix crypt(3) hash algorithms. However, in such cases, any NIS(0307) client can retrieve the entire password database for offline inspection.

Successor technologies

[edit]

The original NIS design was seen to have inherent limitations, especially in the areas of scalability and security, so other technologies have come to replace it.

Sun introduced NIS+ as part of Solaris 2 in 1992, with the intention for it to eventually supersede NIS. NIS+ features much stronger security and authentication features, as well as a hierarchical design intended to provide greater scalability and flexibility. However, it was also more cumbersome to set up and administer, and was more difficult to integrate into an existing NIS environment than many existing users wished. NIS+ was removed from Solaris 11.[2]

As a result, many users choose to remain with NIS, and over time other modern and secure distributed directory systems, most notably Lightweight Directory Access Protocol (LDAP), came to replace it. For example, slapd (the standalone LDAP daemon) generally runs as a non-root user, and SASL-based encryption of LDAP traffic is natively supported.

On large LANs, DNS servers may provide better nameserver functionality than NIS or LDAP can provide, leaving just site-wide identification information for NIS master and slave systems to serve. However, some functions‍—‌such as the distribution of netmask information to clients, as well as the maintenance of e-mail aliases‍—‌may still be performed by NIS or LDAP. NIS maintains an NFS database information file as well as so called maps.

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Network Information Service

View on Grokipedia
from Grokipedia
The Network Information Service (NIS), formerly known as the (YP), is a distributed naming service that centralizes the management and distribution of administrative data, such as user accounts, passwords, hostnames, IP addresses, and groups, across networks of systems. Developed by in the 1980s and integrated into systems like Solaris and various distributions, NIS replaces localized files (such as those in /etc) with a uniform set of databases called maps, enabling consistent access to shared information without manual synchronization on each machine. NIS functions through a client-server architecture, where master servers maintain authoritative copies of maps—two-column tables in ndbm format storing key-value pairs (e.g., passwd.byname for username-to-password mappings)—and propagate updates to slave servers for redundancy and load balancing. Clients bind to available servers using the ypbind daemon, either via broadcast discovery or a predefined server list, and query the RPC-based ypserv daemon on servers to retrieve data, often in conjunction with portmap for service location. Key maps include standard ones like hosts.byaddr for IP-to-hostname resolution and bootparams for diskless client booting, supporting a flat namespace without hierarchical structure, though it can integrate with DNS for broader Internet connectivity. While effective for small to medium-sized networks, NIS has notable limitations, particularly in security: it transmits data, including password hashes, unencrypted over the network and lacks host authentication, making it vulnerable to and spoofing attacks. Mitigation options include restricting access via the /var/yp/securenets file to trusted IP addresses and using firewalls, but modern deployments often favor more secure alternatives like LDAP (per RFC 2307) or SSSD for identity management. Despite its legacy status, NIS remains in use for compatibility in certain Unix environments, with tools like ypset for manual server selection (though discouraged due to risks) and rpc.yppasswdd for remote password updates.

Overview

Definition

The Network Information Service (NIS) is a client-server protocol designed for distributing system configuration data, such as user accounts, group memberships, hostnames, and email aliases, across networks of operating systems. Originally known as Yellow Pages (YP), it was renamed NIS in the early following a dispute with British Telecom, which held rights to the "Yellow Pages" name in the . Developed by in the 1980s, NIS was licensed to virtually all major Unix vendors, establishing it as a for centralized administration in networked Unix environments during that era and into the . At its core, NIS operates through a centralized server that maintains databases of shared information, which clients query remotely to retrieve data traditionally stored in local files, such as /etc/ for user accounts or /etc/hosts for hostnames, thereby enabling consistent configuration across multiple systems without manual synchronization.

Purpose and Use Cases

The Network Information Service (NIS) primarily enables centralized management of user authentication, hostname resolution, and other configuration data across multi-machine environments, thereby avoiding duplication and inconsistency in administrative files. By distributing known as maps from a master server to slave servers, NIS ensures that updates to information such as user credentials and host addresses are propagated uniformly throughout the network. This centralized approach simplifies administration in homogeneous Unix networks, where maintaining synchronized local files like /etc/passwd and /etc/hosts on each machine would otherwise be labor-intensive. In practice, NIS facilitates seamless user login across networked systems by sharing user accounts, making it particularly useful in environments like university computer labs or enterprise Unix clusters. For instance, in a lab setup with multiple client machines, administrators can add or modify user accounts on a single master server, with changes automatically distributed to all clients for consistent authentication. Similarly, NIS distributes host and network information to support services such as (NFS) mounting, allowing clients to resolve hostnames and IP addresses from a shared database without local modifications. NIS integrates with Unix authentication mechanisms by augmenting local files, enabling standard library calls like getpwent() to retrieve remote from NIS maps such as passwd.byname. In the pre-LDAP era, this provided significant benefits for Unix networks by reducing the need for manual and enabling scalable administration of growing clusters, though it has since been largely supplanted by more secure alternatives.

History

Development by Sun Microsystems

The Network Information Service (NIS), originally known as Yellow Pages (YP), was developed by in the mid-1980s as a key component of their Unix-based workstation ecosystem to enable networked computing environments. This development occurred amid the rapid expansion of local area networks in academic and research settings, where Sun's workstations were increasingly deployed. The service was introduced in 2.0, released in May 1985, marking a foundational advancement in distributed system management. The primary motivation for creating NIS stemmed from the need to address administrative challenges in sharing configuration data—such as user accounts, hostnames, and network services—across expanding SunOS-based networks. Prior to NIS, maintaining consistent system information required manual synchronization on each machine, which became inefficient as network sizes grew beyond a handful of nodes. Building on Sun's earlier innovations like (RPC) technology, introduced in , NIS leveraged a client-server model to centralize and , promoting in heterogeneous Unix environments. The initial implementation was led by Sun's engineering team, who designed NIS to integrate seamlessly with the emerging client-server paradigms that defined Sun's computing vision. Upon , NIS commands retained the "yp" prefix to honor its origins, reflecting the analogy to a centralized directory for quick lookups. This naming persisted even after a later due to issues, underscoring the service's roots in Sun's networked .

Name Change and Adoption

In the late 1980s, renamed its (YP) directory service to Network Information Service (NIS) following a legal dispute over the "" held by British Telecom in the . Despite the rebranding, the underlying functionality remained unchanged, and legacy elements such as command-line binaries and manual pages retained the "yp" prefix to maintain compatibility. This name change was necessary to avoid infringement, as "" was a registered for British Telecom's services, prompting Sun to adopt a neutral, descriptive term for global distribution. Sun Microsystems further promoted NIS adoption by open-sourcing the software and licensing it freely to other vendors, which facilitated its integration into various systems starting in the late 1980s. A key enabler was the publication of the Protocol Specification in 1986, which detailed the YP/NIS protocol built on Sun's (RPC) framework and allowed porting to non-Sun platforms. This specification enabled implementations in (BSD) variants, early distributions, and commercial Unix systems, standardizing centralized management of user accounts, hostnames, and other configuration data across heterogeneous networks. By the 1990s, NIS had achieved peak adoption as the primary in enterprise and academic environments, becoming a standard feature in major Unix operating systems including Sun's Solaris, IBM's AIX, Hewlett-Packard's , and BSD derivatives like . Its widespread inclusion—supported in virtually all distributions and Unix variants of the era—streamlined administration in large-scale networks, though it was eventually supplemented by more secure alternatives.

Architecture

Client-Server Model

The Network Information Service (NIS) employs a client-server to distribute administrative across a network, where servers maintain centralized databases and clients query them for information such as user accounts and host configurations. In this model, servers act as authoritative sources, while clients rely on binding mechanisms to access the dynamically. The design emphasizes simplicity and reliability for local area networks, using (RPC) for communication, though the protocol details are handled transparently. NIS servers run the ypserv daemon, which manages and serves the databases known as maps to client requests. Each NIS domain designates one master server responsible for updating and propagating the maps, ensuring consistency across the network. To enhance , slave servers replicate the full set of maps from the master via automated push mechanisms, allowing them to handle client queries independently and distribute load during high demand. Both master and slave servers also function as clients to bind to themselves for internal queries. On the client side, the ypbind daemon establishes and maintains a binding to an available NIS server within the client's domain, enabling seamless . Clients use utility commands such as ypcat for retrieving entire maps or ypmatch for querying specific keys, which interact with ypbind to forward requests to the bound server. If the bound server becomes unresponsive, ypbind rebinds by broadcasting RPC requests or consulting a server list, ensuring continuous availability. The communication flow begins with a client initiating a request through ypbind, which identifies a server and routes the query specifying the domain and desired or key. The ypserv process on the server processes the request by accessing the corresponding and returns the relevant data—such as key-value pairs—directly to the client via RPC. This stateless interaction supports efficient, on-demand access without persistent connections. NIS's client-server model is optimized for small to medium-sized networks, typically supporting up to a few hundred hosts through master-slave replication for . Beyond basic replication, it lacks built-in hierarchical structures or advanced load balancing, limiting in larger environments where a single point of failure at the master could propagate delays.

Domains and Maps

In the Network Information Service (NIS), domains serve as logical groupings of machines to scope and isolate name service information across administrative boundaries. An NIS domain consists of a collection of systems that share a common set of maps, identified by a unique such as "acme-art" or "test-domain," which is unrelated to DNS domains. This structure enables centralized management of configuration data while preventing overlap between different groups of hosts. Clients bind to a single domain at boot time, with the domain name specified in the /etc/defaultdomain file to determine the scope of queries. NIS maps form the fundamental data structures, functioning as two-column key-value databases that store system configuration information in a distributed manner. These maps are compiled on the server from flat ASCII source files, such as /etc/ for user accounts or /etc/hosts for host addresses, replacing direct reliance on local /etc files for networked environments. The resulting databases are stored in ndbm (New DBM) format as .dbm files within the /var/yp/ directory on both master and slave servers, optimizing for fast lookups in a client-server model. Common map types include "byname" variants, which allow lookups by human-readable names (e.g., maps usernames to password entries), and "byaddr" variants for reverse lookups by numeric identifiers (e.g., hosts.byaddr maps IP addresses to hostnames). Special maps address niche data, such as ethers.byaddr, which derives from /etc/ethers to map Ethernet (MAC) addresses to machine names, supporting network hardware identification. Other examples encompass bootparams.byname for boot file paths and ypservers for listing domain servers. The master-slave architecture ensures map consistency and availability, with the master server maintaining authoritative copies updated directly from the ASCII source files. After modifications to sources, the master rebuilds s using the makedbm utility, a process automated by a Makefile in /var/yp that handles compilation for the entire domain. Updated maps are then pushed to slave servers via the yppush command, while slaves can also pull changes periodically using ypxfr to maintain synchronization. This replication mechanism supports redundancy and load distribution without requiring clients to rebind during updates.

Protocols and Implementation

RPC Integration

The Network Information Service (NIS), originally known as Yellow Pages (YP), relies on Sun's Open Network Computing (ONC) Remote Procedure Call (RPC) protocol for client-server communication, enabling distributed queries across networked systems. NIS procedures are defined under RPC program number 100004, supporting versions 1 (YPVERS_ORIG) and 2 (YPVERS), which allow compatibility between different implementations while maintaining core functionality for map lookups and domain management. This integration leverages ONC RPC's external data representation (XDR) for encoding requests and responses, ensuring portability across heterogeneous Unix-like environments. Service discovery in NIS begins with the portmapper daemon, which operates on TCP and UDP port 111 to map RPC program numbers to dynamic or fixed server ports, a mechanism fundamental to ONC RPC operations. The ypserv daemon, responsible for handling NIS queries, typically binds to dynamic ports but is often configured to a fixed port such as UDP/TCP 834 to facilitate firewall rules and consistent access. These ports enable clients to locate and invoke NIS services after initial portmapper consultation, supporting both broadcast and directed RPC calls. Core NIS procedures over RPC include YPPROC_DOMAIN (procedure 1), which checks if a server handles a specific domain and returns a boolean indicating non-membership if unsupported; YPPROC_MATCH (procedure 3), used for retrieving a value associated with a given key in a map; YPPROC_FIRST (procedure 4), which initiates iteration by returning the first key-value pair in a map; and YPPROC_NEXT (procedure 5), which retrieves subsequent pairs during traversal. These procedures facilitate stateless request-response interactions, primarily over UDP for efficiency, with fallback to TCP for larger transfers or reliability needs, as per ONC RPC specifications. The protocol details for YP version 1 are outlined in Sun Microsystems' YP Protocol Specification, with RPC foundations in the ONC RPC version 2 document.

Configuration and Tools

Configuring an NIS server on Unix-like systems typically begins with installing the necessary packages, such as ypserv, which provides the core daemon for serving NIS maps. Administrators then define the NIS domain by setting the NISDOMAIN variable in /etc/sysconfig/network (e.g., NISDOMAIN=mynisdom) and configure access controls in files like /etc/ypserv.conf for allowed hosts and /var/yp/securenets for network permissions (e.g., 255.255.255.0 192.168.1.0 to permit a subnet). To specify the maps to build, such as passwd, group, and hosts, edit /var/yp/Makefile under the all: target (e.g., all: passwd group hosts auto.master), optionally setting flags like MERGE_PASSWD=false for custom integrations. The ypinit utility is then executed as the master server with /usr/lib64/yp/ypinit -m, prompting for slave server hostnames to initialize the domain subdirectory in /var/yp, build the maps, and configure replication; for slave servers, use ypinit -s to pull initial maps. Finally, start the services with commands like service ypserv start, service ypxfrd start (for map transfers to slaves), and service yppasswdd start, enabling them via chkconfig for boot persistence, while adjusting firewall rules to allow RPC ports such as 111, 834, and 835. On the client side, installation involves packages like ypbind, which handles binding to an NIS server. Set the using domainname or by editing /etc/defaultdomain, then configure binding in /etc/yp.conf with entries like domain mynisdom server nismaster to specify the server explicitly, avoiding broadcast discovery for reliability. To enable NIS lookups, modify /etc/nsswitch.conf to include nis after files for relevant databases, such as passwd: files nis or group: files nis, which can be achieved by copying a template like cp /etc/nsswitch.nis /etc/nsswitch.conf or using tools like authconfig --enablenis. Start the ypbind daemon with ypbind -broadcast for automatic server discovery or via service ypbind start, verifying binding with ypwhich to confirm the active server. Several command-line tools facilitate NIS management and querying. The ypcat command dumps the contents of an entire , such as ypcat passwd to display all user entries, useful for verification. ypmatch queries specific keys within a , for example ypmatch username passwd to retrieve details for a user, supporting for targeted lookups. yppush propagates map updates from the master to slaves after changes, invoked automatically by make in /var/yp but runnable manually as yppush passwd to push the passwd . The rpc.yppasswdd daemon runs on the master server to handle remote password changes via yppasswd, updating the passwd and pushing revisions while enforcing policies like minimum length. NIS integrates with the Name Service Switch (NSS) framework in through the libnss_nis module, which implements the nis backend for ordered database lookups as defined in /etc/nsswitch.conf. This module, formerly embedded in glibc and now standalone for and TI-RPC support, allows applications to query local files first (e.g., /etc/) before falling back to NIS maps, ensuring compatibility without replacing system files. For instance, configuring passwd: compat files nis enables shadow password support alongside NIS, with libnss_nis handling the RPC calls to the bound server.

Security

Vulnerabilities

The suffers from several fundamental security flaws stemming from its design, which prioritizes convenience over protection in distributed Unix environments. These vulnerabilities expose sensitive data and enable unauthorized access, making NIS unsuitable for untrusted networks. A primary weakness is the exposure of password information, as NIS clients can retrieve the entire map, including encrypted passwords hashed with weak algorithms like DES via the function. For instance, commands such as ypcat passwd.byname allow any authorized client to dump the full list of usernames and hashed passwords to a file, facilitating offline cracking attacks using tools like Crack, especially since NIS often merges /etc/ and /etc/shadow without robust shadow support across platforms. This unencrypted transmission of hashes over the network further amplifies the risk, as intercepted data can be subjected to or brute-force attacks. NIS relies on (RPC) protocols that lack built-in authentication mechanisms, permitting unauthenticated queries and responses. Clients verify servers only by , without cryptographic validation, allowing attackers on the network to spoof NIS servers and impersonate legitimate ones via man-in-the-middle (MITM) attacks. This enables the injection of falsified maps, such as altered passwd entries granting unauthorized privileges, and exposes the system to denial-of-service (DoS) disruptions by overwhelming RPC ports. Early NIS implementations used network broadcasts for server discovery, inadvertently revealing domain names and server details to passive listeners using sniffers like or snoop. Even in unicast configurations, the plaintext RPC traffic remains interceptable in shared or untrusted segments, compounding risks in environments without segment isolation. Historical exploits have demonstrated these flaws in practice, including tools like ypx for remotely extracting and cracking password maps, and custom programs such as ypfake to spoof UDP-based NIS responses and insert malicious user entries before legitimate replies arrive. Buffer overflows in related RPC services have also been targeted, though vendor patches addressed some instances; overall, these issues have rendered NIS insecure for internet-facing deployments, with successors like NIS+ introducing to mitigate core problems.

Mitigation Strategies

To mitigate security risks in Network Information Service (NIS) deployments, network isolation is essential, confining NIS traffic to trusted local area networks (LANs) through firewall configurations that block external access to critical ports. Specifically, firewalls should restrict UDP/TCP ports 111 (portmapper), 834 (ypserv), and 835 (rpc.ypxfrd), ensuring that NIS queries and responses remain within segmented, secure internal networks to prevent interception or unauthorized access over public or untrusted connections. This approach aligns with vendor recommendations to avoid exposing NIS services to the internet, as emphasized in documentation from the early 2000s onward. Utilizing shadow passwords provides another key defense by separating sensitive password hashes from the publicly accessible /etc/passwd file. Administrators can configure systems to store passwords locally in /etc/shadow while serving only non-password-related maps (such as group or hosts) over NIS, thereby avoiding the transmission of hashed credentials across the network. For environments requiring synchronization, alternative distribution methods like or rdist can be employed for shadow files instead of NIS, further reducing exposure. If secure RPC is available and configured, it can enhance for password updates via yppasswdd, though this is limited to compatible implementations. To limit exposure without fully disabling NIS, administrators should serve only essential maps and restrict access granularly. For instance, exclude sensitive maps like passwd.byname or passwd.byuid from distribution, focusing instead on non-critical data such as netgroups or aliases, and use tools like ypwhich to verify the NIS server's identity and prevent man-in-the-middle risks during client binding. The /var/yp/securenets file (or /etc/ypserv.conf) enables network-level restrictions by specifying allowed IP ranges or netmasks, such as permitting only local subnets (e.g., 255.255.255.0 192.168.1.0) while denying broader access. Clients should be configured to query specific servers explicitly via /etc/yp.conf, avoiding insecure broadcast modes that could reveal server details to unauthorized hosts. Ongoing monitoring and auditing are crucial for maintaining NIS . Tools like rpcinfo can be used to inspect active RPC services, including ypserv and portmapper, ensuring only necessary daemons are running and ports are correctly bound. Regular checks via jobs, such as ypxfr for map synchronization on slave servers (scheduled 1-2 times daily), help detect inconsistencies or unauthorized changes. Vendor guidelines strongly advise disabling NIS entirely on hosts connected to the or untrusted networks, prioritizing its use only in air-gapped or fully controlled environments.

Successors

NIS+

NIS+ was developed by and introduced in 1992 as part of Solaris 2.0, serving as a non-backward-compatible to the original NIS to address its limitations in and . Unlike NIS, which relied on flat files and simple broadcasting, NIS+ introduced a hierarchical structured like a , allowing for organized domains and subdomains that could be administered independently. It also incorporated fine-grained access controls, enabling administrators to define read, modify, create, and delete permissions for objects based on principals, groups, and levels. Key enhancements in NIS+ focused on improving security and manageability for enterprise environments. It integrated RPCSEC_GSS for robust authentication and optional encryption, supporting mechanisms like Kerberos to protect data in transit and verify principal identities beyond the basic AUTH_DES used in earlier versions. Data organization shifted from NIS's flat maps to structured directory tables, which stored such as user credentials, host details, and services in relational-like entries within NIS+ directories, facilitating queries and updates across a distributed . For scalability in large enterprises, NIS+ supported federation through its hierarchical structure, where multiple domains could be linked, allowing replication across servers and load balancing for networks with thousands of clients. Implementation of NIS+ involved specific daemons and administrative tools tailored for its client-server . The primary daemon, rpc.nisd, handled service requests, namespace , and compatibility modes for legacy NIS clients, running on master and servers to maintain consistency. Administrative tasks utilized commands like nisauthconf for managing credentials and , alongside nlsadmin for server configuration and nisadd for adding directories and tables. Storage backends included the original DBM format for smaller setups and the more efficient NDBM for production environments, which supported concurrent access and logging for better performance in replicated scenarios. Despite these advancements, NIS+ saw limited adoption due to its complex administration, which required specialized knowledge for setting up hierarchies, credentials, and replication—often overwhelming for teams accustomed to simpler NIS operations. This complexity, combined with the rise of open standards, contributed to its decline; deprecated NIS+ in Solaris 10 and fully removed it from Solaris 11 in 2011, recommending migration to LDAP for directory services.

LDAP and Other Alternatives

The (LDAP) emerged as a key successor to NIS, providing a standardized protocol for accessing and managing distributed directory information services. Defined as an IETF proposed standard in RFC 4510 (2006), LDAP enables hierarchical, searchable directories that support operations like adding, deleting, and modifying entries in a tree-structured . It incorporates robust mechanisms, including (SASL) for flexible credential handling and (TLS) via StartTLS for encrypted communications, addressing NIS's lack of built-in security. LDAP has achieved widespread adoption, powering systems such as Microsoft's , which uses LDAP versions 2 and 3 for directory queries and updates, and open-source implementations like , an extensible server suite for LDAPv3 compliance. Beyond LDAP, other protocols have partially supplanted NIS functionalities in modern networks. The (DNS), outlined in RFC 1035 (1987), handles hostname resolution and more efficiently than NIS's flat maps, supporting hierarchical delegation and caching for global scalability. For authentication, Kerberos (RFC 4120, 2005) provides ticket-based , emphasizing mutual authentication and session keys to mitigate replay attacks, often integrated with LDAP directories. In Linux environments, the (SSSD) facilitates integration by combining multiple backends—such as LDAP, Kerberos, and local files—into a unified , enabling caching, offline access, and for enterprise authentication. Migration from NIS to LDAP typically involves exporting NIS data into LDAP-compatible formats and reconfiguring clients. Tools like the open-source MigrationTools suite generate LDIF (LDAP Data Interchange Format) files from NIS maps for users, groups, and hosts, allowing import into LDAP servers via scripts such as migrate_all_offline.sh. Oracle Solaris provides the NIS-to-LDAP transition service (N2L), which automates schema mapping and client reconfiguration using idmapd for identity mapping. For compatibility, the nss_ldap module extends the Name Service Switch (NSS) to query LDAP directories as a drop-in replacement for NIS, supporting maps like passwd and hosts without altering applications. Red Hat's migration scripts in /usr/share/openldap/migration/ further assist by converting authentication data into LDAP entries. LDAP offers significant advantages over NIS, including encrypted channels via TLS to protect against eavesdropping and man-in-the-middle attacks, unlike NIS's plaintext RPC transmissions. Its scalable, replicated architecture supports multimaster updates and multi-protocol access (e.g., via HTTP or gateways), enabling consolidation of diverse data sources in large enterprises. By the early 2000s, LDAP had become the for directory services, with widespread deployment in Unix/ and Windows ecosystems due to its compatibility and extensibility through schema extensions.

Legacy and Current Status

Deprecation in Modern Systems

The deprecation of Network Information Service (NIS) in major operating system distributions reflects a shift away from its outdated architecture toward more secure and scalable directory services. In 11, released in 2011, NIS server software is not installed by default and must be explicitly enabled, with official emphasizing the need to disable it on systems not acting as NIS servers to minimize risks. Similarly, in Red Hat Enterprise Linux 7 (2014) and subsequent versions, the ypbind package required for NIS client functionality is not installed by default, requiring manual installation and configuration. This trend continued with NIS components marked as deprecated in Red Hat Enterprise Linux 8.3 (2021) and fully removed in Red Hat Enterprise Linux 9 (2022). Ubuntu 18.04 LTS (2018) follows suit through benchmarks that mandate removal of the NIS package to reduce the risk of inadvertent activation of NIS services. In BSD variants like , NIS remains supported but is increasingly phased out in , with LDAP recommended as the preferred alternative for centralized and naming services. The primary reasons for this deprecation stem from NIS's inherent security limitations, which cannot be adequately addressed without a fundamental redesign. NIS lacks host mechanisms and transmits all data, including sensitive , over in unencrypted form, making it vulnerable to and unauthorized access by modern standards. Additionally, more robust alternatives such as LDAP provide enhanced features like , access controls, and scalability, rendering NIS obsolete for contemporary networked environments. , the original developer, announced the end-of-life for NIS around 2004, urging migration to LDAP, while its successor NIS+ faced similar deprecation prior to Solaris 9 in 2002. distributions accelerated this process, with removing NIS user-space utilities in Fedora 38 (2023) and openSUSE discussing full retirement due to the protocol's age and flaws as of 2022. Documentation in modern systems has evolved to reflect NIS's obsolescence, with manual pages and configuration guides issuing warnings against its use except in controlled legacy scenarios. For instance, the ypbind in Linux distributions notes its reliance on outdated RPC mechanisms and advises caution due to security implications. To maintain compatibility with existing NIS deployments, systems employ Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) configurations, such as the "nis" profile in tools like authselect, which allow limited integration without full NIS activation. This approach ensures backward compatibility while discouraging new implementations.

Remaining Use Cases

Despite widespread , the Network Information Service (NIS) continues to see limited use in legacy Unix environments as of 2025, particularly where modernization efforts have not yet been completed. Systems such as AIX and older Solaris installations, which remain operational in certain enterprise and industrial settings, often retain NIS for basic user and host information sharing due to its simplicity in non-internet-connected setups. Similarly, some () clusters and isolated networks rely on NIS for centralized configuration where external directory services are impractical. New deployments of NIS are minimal, with major distributions like (RHEL) having removed core packages such as ypserv, ypbind, and yp-tools starting in RHEL 9, following deprecation in RHEL 8.3. However, optional support persists in distributions like (where the nis package is available in Ubuntu 24.04 LTS and later) and Leap 15.6 (2024), though not installed by default and discouraged for new uses. Maintenance occurs through optional third-party or community repositories, including the ypserv project on , which provides an actively ported version supporting and TI-RPC for compatible legacy setups, though not integrated into standard EPEL repositories for recent releases, and continues to receive updates as of 2025. In academic and hobbyist contexts, NIS is occasionally employed in virtualized environments, such as VMware-hosted Solaris instances, to demonstrate traditional Unix networking concepts without requiring modern protocols. Key challenges for these remaining implementations include infrequent security patching, as upstream support has waned. Integration with containerized or Kubernetes-based systems is strongly discouraged due to compatibility issues and heightened risks in dynamic environments, often requiring discouraged patterns that complicate . Looking ahead, NIS is projected to approach full obsolescence by 2030, driven by ongoing migrations to more secure alternatives; tools like offer NIS compatibility modes, enabling gateways for gradual transitions in legacy setups by exporting user, group, and automount data via LDAP while supporting NIS clients during the shift.

References

  1. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/nis
  2. https://docs.oracle.com/cd/E19683-01/817-4843/6mkbebda4/index.html
  3. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/security_guide/s1-server-nis
  4. https://www.computer-dictionary-online.org/definitions-n/network-information-service
  5. https://docs-archive.freebsd.org/doc/7.4-RELEASE/usr/share/doc/handbook/network-nis.html
  6. https://tldp.org/LDP/nag/node137.html
  7. https://www.linuxjournal.com/article/2624
  8. https://docs.oracle.com/cd/E19253-01/816-4556/anis1-25461/index.html
  9. https://www.oreilly.com/library/view/ldap-system-administration/1565924916/ch06.html
  10. https://docs-archive.freebsd.org/doc/9.3-RELEASE/usr/share/doc/freebsd/pl/books/handbook/network-nis.html
  11. https://www.infoworld.com/article/2275713/why-sun-s-nis-will-never-die.html
  12. https://www.linux.com/news/introduction-nis-network-information-service/
  13. https://betawiki.net/wiki/SunOS_2.0
  14. https://www.oreilly.com/library/view/red-hat-r-linux-r/0672319853/0672319853_ch15.html
  15. https://docs.oracle.com/cd/E26502_01/html/E29031/ypserv-1m.html
  16. https://www.linuxfocus.org/English/July2001/article148.shtml
  17. https://tldp.org/HOWTO/NIS-HOWTO/
  18. https://bitsavers.trailing-edge.com/pdf/sun/sunos/3.0/800-1324-03B_Networking_on_the_Sun_Workstation_198602.pdf
  19. https://www.ibm.com/docs/ssw_aix_72/networkinformation/nis_intro.html
  20. https://docs-archive.freebsd.org/doc/10.3-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/network-nis.html
  21. https://www.ibm.com/docs/ssw_aix_72/networkinformation/nis_maps.html
  22. https://docs.oracle.com/cd/E19253-01/816-4556/anis1-24268/index.html
  23. https://datatracker.ietf.org/doc/html/rfc1057
  24. https://sites.uclouvain.be/SystInfo/usr/include/rpcsvc/yp_prot.h.html
  25. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/security_guide/s2-server-nis-ports
  26. https://docs.oracle.com/cd/E36784_01/html/E36871/ypserv-1m.html
  27. https://docs.oracle.com/en/operating-systems/oracle-linux/6/admin/configure-nis-server.html
  28. https://docs.oracle.com/cd/E19455-01/806-1386/6jam5ahml/index.html
  29. https://help.ubuntu.com/community/SettingUpNISHowTo
  30. https://docs.oracle.com/cd/E19455-01/806-1387/6jam692cl/index.html
  31. https://nixdoc.net/man-pages/HP-UX/man1m/ypserv.1m.html
  32. https://linux.die.net/man/8/rpc.yppasswdd
  33. https://github.com/thkukuk/libnss_nis
  34. https://packages.debian.org/sid/libnss-nis
  35. https://www.giac.org/paper/gsec/180/security-issues-nis/100657
  36. https://www.eng.auburn.edu/users/doug/nis.html
  37. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-securing_services
  38. https://www.researchgate.net/publication/2605756_A_Unix_Network_Protocol_Security_Study_Network_Information_Service
  39. https://www.linux.com/news/best-practices-nis-use/
  40. https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-nis.html
  41. https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch02_02.htm
  42. https://docs.oracle.com/cd/E19455-01/806-1387/6jam69277/index.html
  43. https://docs.oracle.com/cd/E19253-01/816-4558/nisplusadmin-1/index.html
  44. https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joane/index.html
  45. https://docs.oracle.com/cd/E18752_01/html/816-4558/adtable-1.html
  46. https://www.ibm.com/docs/en/aix/7.1?topic=services-nis-nis-differences
  47. https://docs.oracle.com/cd/E18752_01/html/816-4558/a10dirs-22329.html
  48. https://man.freebsd.org/cgi/man.cgi?query=nis&sektion=1&manpath=SunOS%2B5.9
  49. https://docs.oracle.com/cd/E19253-01/816-4556/aagloss-87604/index.html
  50. http://sunsite.uakom.sk/sunworldonline/swol-10-1996/swol-10-security.html
  51. https://www.oracle.com/solaris/technologies/end-of-feature-notices-solaris11.html
  52. https://datatracker.ietf.org/doc/html/rfc4510
  53. https://datatracker.ietf.org/doc/html/rfc4513
  54. https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lightweight-directory-access-protocol-ldap-api
  55. https://www.openldap.org/
  56. https://datatracker.ietf.org/doc/html/rfc1035
  57. https://datatracker.ietf.org/doc/html/rfc4120
  58. https://sssd.io/
  59. http://www.padl.com/OSS/MigrationTools.html
  60. https://docs.oracle.com/cd/E20295_01/html/821-1217/migrate.html
  61. https://linux.die.net/man/5/nss_ldap
  62. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s2-ldap-migrate
  63. https://docs.oracle.com/cd/E19261-01/820-2760/partadv/index.html
  64. https://www.tenable.com/audits/items/CIS_Oracle_Solaris_11.4_L1_v1.0.0.audit:eb4aca7779ac63112f5ee577df945d85
  65. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring-nis-auth
  66. https://access.redhat.com/solutions/5991271
  67. https://www.tenable.com/audits/items/DISA_STIG_Ubuntu_18.04_LTS_v2r8.audit:c1339a81cbec1f9bd8c17f25c1903f7f
  68. https://docs.freebsd.org/en/books/handbook/network-servers/
  69. https://www.linux.com/news/sysadmin-sysadmin-nis-end-life-and-ldap-0/
  70. https://fedoraproject.org/wiki/Changes/retire_NIS_user_space_utils
  71. https://lists.opensuse.org/archives/list/[email protected]/thread/R2BTCB7MUC7CHG2NJVIRHP674UFM7RHB/
  72. https://linux.die.net/man/8/ypbind
  73. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel
  74. https://www.ibm.com/docs/en/aix/7.2?topic=nn-network-information-service-nis
  75. https://support.oracle.com/knowledge/Sun%20Microsystems/1007316_1.html
  76. https://forums.rockylinux.org/t/nis-on-rocky-rhel-9/11227
  77. https://launchpad.net/ubuntu/+source/nis
  78. https://doc.opensuse.org/documentation/leap/security/html/book-security/
  79. https://github.com/thkukuk/ypserv
  80. https://community.unix.com/t/nis-on-vmware-workstation/272250
  81. https://www.thkukuk.de/nis/nis/ypserv/
  82. https://forums.rockylinux.org/t/nis-to-ldap-migration/19169
  83. https://www.freeipa.org/page/Howto/Migration
Add your contribution
Related Hubs
User Avatar
No comments yet.