Hello all,
I've seen that some of you noticed a lot of features about
programs that downgrade the encryption method of the passwords from
MD5 to DES and that should be a shame to distribution packagers.
The dish of the day is the Yellow Pages/NIS (NYS?) suite
shipped with the pristine RedHat 6.1. After a standard blank installation
the rpc.yppasswd (when used via ypasswd by domain lusers from all over the
place) shamelessly uses the old (deprecated?) 8-character-limited des
password encryption, butt-slapping the idea of site security and
raising from their graves old pwcracks and John the Rippers that
could easily bruteforce into your password files. Thus your new shiny md5
crypted shadow is gone, and the 8-chars passwords are back.
I've tested this only with RedHat 6.1 but some of you may have
the opportunity to test it with other new Linux distributions and
if it works please announce.
To Aleph1: do not ask for a patch as in previous bounced messages,
i do not intend to take part or envolve in the YP developement team as
neither in the ssh team. As a full end-user I do not care about them.
To everyone: protect your NIS ports as required in the
ypserv config files.
To NYS team: please provide patches for this, I love NIS, and
do not make SuSE a RedHat clone (as it is), they both suck.
To kiddies: just press delete and move along next post, you are
too dumb to run a password cracker.
still unemployed,
--
Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------
HELP!!!! I'm being held prisoner in /usr/games/lib!
