VASYPD's default configuration is such that it should only respond to NIS bind requests from the local host interface only (127.0.0.1).
In some circumstances it is possible for a remote host to bind to the RPC service when using a broadcast request on the same network.
This is due to the behaviour of RPC and broadcast requests. VASYPD looks at the source IP of the request to determine if the bind is allowed. In the case of broadcast requests the source appears to be the local host, and thus the bind is accepted.
There is a setting available to only allow binds from interfaces that are set as "loopback".
To set the setting you can do the following command that modifies the /etc/opt/quest/vas/vas.conf file for you:
/opt/quest/bin/vastool configure vas vasypd multihome-loopback-only true
From the vasypd man page:
<snip>
multihome-loopback-only = <boolean>
Default value: False
When vasypd gathers a list of local interfaces to allow, if this is changed to true it will only select interfaces set as loopback. This setting is supplied to stop the machine from responding to network NIS broadcast requests, as due to how RPC works the requests look like they originated from the public interface they came in on instead of an external machine, so they get past normal client-addr ignoring. But since it acknowledged the domain_ack request, the external machine could endlessly hang trying to use this machine as a NIS server. This should only be used when local ypbind talks to localhost.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center