Quoting Alan Horn (ahorn@deorth.org):
> I have used it in networks of several
> hundred hosts in the past with no problem.

Me too.  Don't you hate it when a box that WAS a slave and
has gone down comes back?  Months later?  Serving random
people who happen to have bad luck to bind to it?

Or the fact that about anyone can get your /etc/passwd info
with some decent luck.

The only thing that justfies using NIS is the threat of having
to use NIS+.  A stupendous piece of crap.  "Oops, all the NYC
machines decided to bind to hosts across the WAN so our WAN
usage has skyrocketed from 10% to about 90% while performance
has mostly just stopped."  And Sun had no workaround for this
"oh, is that bad?" behavior.


No, other choices where HESIOD for info, Kerberos for auth or,
post 1998, LDAP.  SASL authentication (or SSL/IPSec encrypted
paths - or even private networks for a cabinet of infrastructure)
and I can scale and offer what NIS offers, just better.

> Putting aside the security issues it's a fine solution for an internal
> network in a commercial environment. Security really _is_ a whole other
> discussion here. Suffice to say that you shouldn't use NIS in any
> situation where you care about protecting access to your hosts, at least
> not without thorough understanding and investigation (e.g. not in DMZ
> hosts or publically facing, not on high security servers, etc...)

But not the soft chewy inside?  I hate chewy insides.  Had too many
incidents on LARGE LARGE (soft chewy) networks where someone got in
SOMEwhere and was, afterwards, pretty much unrestricted.  I recall
when I was told that someone came in through a modem that was left
on on a machine that should never have HAD a modem.  I'll not forget
that feeling as I pondered where he (usually a HE) might have gone
and what we'd have to do to verify ALL of the data.  My infrastructure
machines were locked down, despite common practices in the company.
We'd set them up as an example of how the machines SHOULD be.

I don't lock the rooms within my house, but I do secure all the machines.

(and I can glance in all the room and have a pretty decent idea if
something is missing or changed.  That's just hard with 50 servers
with 5TB of data.

> I have tended not to use NIS for hosts information now though, preferring
> to rely on DNS for that.
Yes.


> a solution using rdist is of course better, but sometimes requires more
> work than a novice or even an intermediate administrator would be capable
> of, and it certainly isn't working 'out of the box'

Except for the "change the password" problem that rdist never addressed.

I'm happy to rdist/cfengine lots of config files that turn on better
authentication mechs.