From owner-freebsd-isp  Tue Nov 19 23:23:21 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA10418
          for isp-outgoing; Tue, 19 Nov 1996 23:23:21 -0800 (PST)
Received: from mail.webspan.net (mail.webspan.net [206.154.70.7])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA10408
          for <freebsd-isp@freebsd.org>; Tue, 19 Nov 1996 23:23:19 -0800 (PST)
Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) 
          by mail.webspan.net (8.7.5/8.7.3) with ESMTP id CAA04858;
          Wed, 20 Nov 1996 02:22:17 -0500 (EST)
Received: from orion.webspan.net (localhost [127.0.0.1]) 
          by orion.webspan.net (8.7.5/8.7.3) with ESMTP id CAA07067;
          Wed, 20 Nov 1996 02:22:12 -0500 (EST)
To: Justin Harvey <jbh@netpci.com>
cc: Michael Dillon <michael@memra.com>, freebsd-isp@freebsd.org
From: "Gary Palmer" <gpalmer@freebsd.org>
Subject: Re: Stupid question no 10101 
In-reply-to: Your message of "Fri, 15 Nov 1996 14:56:18 -1000."
             <Pine.BSF.3.91.961115145434.23937D-100000@delenn.netpci.com> 
Date: Wed, 20 Nov 1996 02:22:12 -0500
Message-ID: <7065.848474532@orion.webspan.net>
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Justin Harvey wrote in message ID
<Pine.BSF.3.91.961115145434.23937D-100000@delenn.netpci.com>:
> Or, yet another alternative is to use NIS, I know you said it was 
> insecure but you need to define 'insecue'.  I bet it would be more secure 
> than whatever kind of password exchanging mechanism you're thining of 
> programming.

> NIS isn't exactly 'insecure', IMO I think it's had a bad rap due to 
> people misconfiguring it.  You can also configure NIS to share files that 
> are not defaulted with the package.

Try sharing your password file with NIS. Basically, if you use plain
old NIS, it publishes your password file (or at least the passwords of
your users) to anyone who cares to look (I've been told that there is
some program called `ypghost' which lets people do this). I, for one,
don't want my users passwords disseminated to anyone who wants an easy
back-door into our system.

(and, yes, I have thought of using an access list (aka packet filter)
 on our Cisco gateway, but access lists can be bypassed, and it still
 leaves it open to all our shell users).

Makes it kinda stupid to use NIS in a shadowed password environment ...

Gary
--
Gary Palmer                                          FreeBSD Core Team Member
FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info