On Tue Sep 14 1999 at 17:38, kiko wrote:
> On Sun, 12 Sep 1999, Tony Nugent wrote:
>
> > What's the *point* of using shadow passwords with YP? There's no way
> > it can work without transporting this information over the network.
> > YP is inherently insecure for this reason anyway, and shouldn't be
> > used over untrusted network links.
>
> One thing is sniffing packets off the network; the other is listing the
> encrypted text to a 'ypcat passwd' user command - and, if you consider
> the security implications of remote map transfers, it's a considerable
> liability - people not even on the local network (and thus not able to
> pick off broadcasts) can pull the maps and crack the passwords.
>
> I hope my point is better stated.
Think about the semantics of doing NIS without passing this
information over the network - no way out of it.
NIS/NIS+ is inherently insecure. That's its failing, and why I say to
use in only in trusted networked environments.
Also, it's always possible to chmod 700 /usr/bin/ypcat on the clients,
but anyone who knows what they are doing can rebuild their own copy or
put together something like a perl hack to do the same thing.
What it does need (and what almost ALL network services need) is an
encryption layer that works similar to ssh. But because of the stupid
USA laws that regards exportation of encryption code in electronic
format a crime akin to arms exportation, this won't happen.
Politicians are idiots, manipulated by the crazy paranoids at the
cia/fbi. But this is now getting off the topic and I don't want to go
too far down this road...
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Computer Systems Officer Faculty of Science
University of Southern Queensland, Toowoomba Oueensland Australia
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
