Jae-young Kim <[EMAIL PROTECTED]> wrote:
> I'm going to install NIS+ on my AFS client machine running Solaris
>2.5. I'm curious if there's any problem with AFS and NIS+. I think I've
>seen that kind of problem somewhere. Right now, we have both AFS users
>and yp-based non-AFS users. Can it be a problem to install NIS+ with the
>security level 2 under this environments?
The problem I have seen with NIS (but I don't know if it affects NIS+)
is that any user can "ypcat passwd" and be presented with a copy of the
NIS master passwd file containing encrypted NIS passwords.
Why is this a problem? It is fairly trivial to use the publically available
"crack" program to guess passwords.
NB: AFS passwords from your kaserver(s) are never presented by "ypcat".
IMHO, for your users with $HOMEs in /afs, you should replace their encrypted
password with an "X" and have "AFS aware" login. Also, the only users
you allow to login to your AFS dbservers running kaserver are SysAdmins.
Hope this helps...
--
paul http://acm.org/~mpb
