From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:04:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97E7916A4B3 for ; Thu, 25 Sep 2003 12:04:02 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2339943FE1 for ; Thu, 25 Sep 2003 12:04:01 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 343EB2D for ; Thu, 25 Sep 2003 13:03:57 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8PJ3vE25816 for freebsd-security@freebsd.org; Thu, 25 Sep 2003 13:03:57 -0600 Date: Thu, 25 Sep 2003 13:03:56 -0600 From: Tillman Hodgson To: freebsd-security@freebsd.org Message-ID: <20030925130356.S18252@seekingfire.com> References: <20030925124655.C31322@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030925124655.C31322@localhost>; from mdg@secureworks.net on Thu, Sep 25, 2003 at 12:58:25PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: unified authentication X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:04:02 -0000 On Thu, Sep 25, 2003 at 12:58:25PM -0400, Matthew George wrote: > On Thu, 25 Sep 2003, Robert Watson wrote: > > > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire > > access) between a set of trusted hosts, with no modifications to the > > privileged port set, should be fairly safe against unprivileged users > > logged into the machines. The same goes for NFS. If you break any of > > these assumptions, then the security properties go out the window. > > It should probably also be noted that when using NIS in a multi-platform > environment, UNSECURE="True" must be set in /var/yp/Makefile. When using > FreeBSD machines only, the passwd maps are generated without password > fields, the master.passwd maps are generated with them, and only requests > from privileged ports (superuser requests) will be given the master.passwd > maps (hence the comment above about modifying the privileged port set). > Other operating systems' NIS implementations require the password fields > to be in the passwd maps, which are available to unprivileged users. Or one could put something like "*" or "krb5" in the password field and use Kerberos with NIS to obtain extra security in a cross-platform environnment. -T -- In the beginner's mind there are many possibilities. In the expert's mind there are few. - Suzuki-roshi