Date: Tue, 12 Sep 2000 07:53:02 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Peter Avalos <pavalos@theshell.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ypserv giving out encrypted passwords Message-ID: <200009121453.e8CErva69663@cwsys.cwsent.com> In-Reply-To: Your message of "Tue, 12 Sep 2000 07:28:36 PDT." <Pine.LNX.4.21.0009120724330.23278-100000@arsenic.theshell.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.LNX.4.21.0009120724330.23278-100000@arsenic.theshell.co m>, Pet er Avalos writes: > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > In message <AAEMIFFLKPKLAOJHJANHOEKECEAA.pavalos@theshell.com>, "Peter > > Avalos" > > writes: > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > Snip from ypserv(8) manpage: > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > master.passwd.byname and master.passwd.byuid maps in a special way. > > > When > > > the server receives a request to access either of these two maps, it > > > will > > > check the TCP port from which the request originated and return an > > > error > > > if the port number is greater than 1023. Since only the superuser i > s > > > al- > > > lowed to bind to TCP ports with values less than 1024, the server ca > n > > > use > > > this test to determine whether or not the access request came from a > > > privileged user. Any requests made by non-privileged users are > > > therefore > > > rejected. > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want people > to > > > ypcat master.passwd and get all the encrypted passwords on my system. I > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > ypmatch pavalos master.passwd > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > 06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778 > : > > > udp 88 > > > 06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port > : > > > udp 108 > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > So my question is: Is this a configuration error, or a 'feature' (bug)? > > > > I was unable to recreate your problem here at home (the only place I do > > use YP). Tcpdump showed that appropriate ports were used when root or > > non-root made issued the request. Are you sure you weren't root or > > that ypmatch wasn't setuid root on the client system? > > > > > > The correct ports are being used. My issue is that a request from a > non-root user (port >1023) gives out the encrypted password. According to > the manpage, any request from tcp port >1023 will be denied for > master.passwd.* maps. This seems like its logic is half-correct. My > question is why is is only tcp since these yp requests are over udp? cwtest$ ypmatch foobar master.passwd.byname ypmatch: can't match key foobar in map master.passwd.byname. reason: YP server error cwtest$ 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 cwtest# ypmatch foobar master.passwd.byname foobar:$1$foobar's_password:62361:62361::0:0:Foobar User,,,:/home/foobar:/bin/bash cwtest# 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 Foobar was substituted for the real username to protect the innocent in my example above, e.g. this is real output except for my editing out the real username. From what I can tell, it works as documented on a 4.1 system. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009121453.e8CErva69663>