On Fri, 3 Sep 1999, kiko wrote:
> On Fri, 27 Aug 1999, Hugo wrote:
>
> > Anyone able to help me with the problem outlined below? Maybe point me
> > to a HOW-TO on the web somewhere or some other information pages (man
> > pages for shadow passwords are not much good I am afraid).
>
> YP passwords are NEVER shadowed. Blame Sun for that, or try something
> else, but don't complain that you get the full password when doing a
> ypcat: you'll never see an x there.
Yep, this is a misfeature of the NIS (the name YP must not be used as
several companies, esp. those dealing with telephones have a trademark on
YP). It would have been better if this information were available to
root processes only and best of all if encrypted passwords never leave the
server, but at the time NIS was designed the only known alternative
probably was to transfer clear text passwords which is even worse.
Anyway, the old NIS is still a defacto standard. If you have to life with
it for compatibility to other systems, you must:
a) Consider any account on your machine a risk. A person breaking into a
user account, regardless how un-important it is, gets hold of all
encrypted passwords. Ensure there are NO weak passwords on such a
machine.
People you cannot trust must either not get a shell at all or a
restricted shell maybe in a setrootfs'ed environment (which is
difficult to configure).
b) Consider you NIS-domain name as a password. ANYONE in possession of
that domain name is able masquerade itself as one of your clients
and query the full database of encrypted passwords from your NIS
server. There are some NIS ports (and I assume the linux version
falls among these) which allow to restrict the range of ip-addresses
of clients an NIS server will respond to, for this very same reason.
It is a very, very bad (but common) idea to use your DNS domain name
or a part thereof as your NIS domain. Unfortunately it is usually
possible to derive the NIS domain name from the names of some files on
the machines. However, if s.o. is in there, he can get the passwords
anyway (ypcat, see above).
If you are not forced to use NIS as the common denominator of a bunch
of different architectures, you might consider other such systems.
I've no experience there myself, and I don't know if there is a port for
Linux, but usually Kerberos is mentioned under such circumstances.
Michael.
--
Michael Weller: [EMAIL PROTECTED], [EMAIL PROTECTED],
or even [EMAIL PROTECTED] If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
