Summary: NIS (in)security

From: Alan Miller (alan@bintec.de)
Date: Mon Oct 02 2000 - 08:59:18 CDT


> After finally getting around to changing my NIS setup to keep passwds
> in the passwd.adjunct file I've discovered that it's still possible
> for NIS clients to retrieve my encrypted passwords.

Thank you all for the quick and concise responses.
  Casper Dik <Casper.Dik@holland.sun.com>
  Stephen Johnston <sjohnsto@eso.org>
  Chris Tilbury <Chris.Tilbury@warwick.ac.uk>
  Jim Matthews <j.w.matthews@home.com>
  Gabriel Rosenkoetter <gr@cs.swarthmore.edu>
  Mark Hargrave <hargrme@wisdom.maf.nasa.gov>
  Mike Salehi <mike.salehi@kodak.com>
 
The answer is quite straightforward as everybody has pointed out.

 With the passwd.adjunct file in place the ypserver ONLY responds
 to client requests originating from a priveledged ports (0-1023).

 This just blocks users processes from getting the encrypted passwords.
 
 The NIS server must provide the passwords to a root process
 otherwise there would be no way for the client to verify the
 cleartext taken in by login process.
 
 This is why:
   [ROOT@client] ypmatch -k USER passwd.adjunct.byname
 gets me USER's encrypted password from the passwd table, and
   [USER@nis-client] ypmatch -k USER passwd.adjunct.byname
 fails with a "Reason: No such map in server's" error.

Alan
+--------------------------------------------------------------------+
| Alan Miller BinTec Commmunications AG |
| System/Network Administrator Südwestpark 94 |
| Voice: +49 911 96 73 14 55 D-90449, Nürnberg |
| Fax: +49 911 96 73 14 99 Germany |
| mailto:alan@bintec.de http://www.BinTec.de |
+--------------------------------------------------------------------+



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:18 CDT