On Tue, Oct 12, 1999 at 11:50:56AM +0300, [EMAIL PROTECTED] wrote:
> Well, may ypcat truely reviels the shadow password list (and you can read
> it with a sniffer), but what about authentification?
> Maybe while authenticating users, only the master server compares the user
> password with the password list on its local machine and just returns a
> yes/no reply? (Sort of an opposite challenge/respone mechanism)
NIS works by "emulating" /etc/passwd and other files and plugging into
the standard getpw* libc calls. So you don't have to recompile an app
for it to use NIS. Thus it has to download the password hash from the
server so that getpw* can return it to the program. And sending the
hash over the network to the server for comparison won't help a lot
because you can still sniff hashes from successful logins.
> Anyway, shadow passwords are supposed to be tough to crack, aren't they?
Not in the standard DES format. Dictionary attacks are often very
effective. Red Hat 6 introduced MD5 shadow passwords (that have been
there all along in OpenBSD, and I think in FreeBSD too), but that has
nothing to do with NIS. (I wonder what happens if such a Red Hat box
is used as a NIS server for other stations? Will it work properly?)
--
Alex Shnitman | http://www.debian.org
[EMAIL PROTECTED], [EMAIL PROTECTED] +-----------------------
http://alexsh.hectic.net UIN 188956 PGP key on web page
E1 F2 7B 6C A0 31 80 28 63 B8 02 BA 65 C7 8B BA
The best way to accelerate a Windows NT server is at 9.8 m/s^2.
-- Shaul Rosenzweig
PGP signature
