From owner-freebsd-security Tue Sep 12 9:32:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (Postfix) with ESMTP id 6DFE337B422 for ; Tue, 12 Sep 2000 09:32:08 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.10.0/8.10.0) id e8CGW6M22179; Tue, 12 Sep 2000 09:32:06 -0700 (PDT) Received: from pau-amma.whistle.com( 207.76.205.64) by whistle.com via smap (V2.0) id xma022175; Tue, 12 Sep 2000 09:31:47 -0700 Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.3/8.9.3) id JAA32038; Tue, 12 Sep 2000 09:31:47 -0700 (PDT) (envelope-from dhw) Date: Tue, 12 Sep 2000 09:31:47 -0700 (PDT) From: David Wolfskill Message-Id: <200009121631.JAA32038@pau-amma.whistle.com> To: dhw@whistle.com, pavalos@theshell.com Subject: RE: ypserv giving out encrypted passwords Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >From: "Peter Avalos" >Date: Tue, 12 Sep 2000 11:20:22 -0500 >|I suspect that the "encrypted password only in master.passwd.by*" only >|works if it's aFreeBSD box as master. (A master constructs the maps; a >|slave merely repeats what it's told.) [I should note that the above parenthetical remark is speculation on my part, to some extent, as I haven't reviewed the code in question. But since such things as gthe "UNSECURE = 'TRUE'" specification go in the /var/yp/Makefile on the *master*, it makes sense to me. dhw] >Why? That just doesn't make sense to me. The master has to give the whole >map to the slave, and the slave server should still be acting as a server. The slave is acting as a server: in response to a client query, it provides a copy or excerpt of the map it has. But it doesn't create the map from scratch; it gets the maps from its master. >It shouldn't be dealing out the encrypted passwords to non-privileged ports. NIS doesn't really deal (much) in terms of what the fields are intended to mean; it's basically as simple, moderately-distributed, name-value lookup service. For example, if I request a lookup of "dhw" in the "passwd.byname" map, what comes back is a "record". That the "record" is broken up into separate fields is an artifact of what the client chooses to do with the resulting information; NIS couldn't care less. (The split-out of the password stuff is handled by the Makefile, so the resulting maps get created with the proper contents, by the master server during the "make" process. That has next to nothing to do with the NIS client-server interaction.) >It looks like the manpage is wrong (it looks at tcp and udp), but it also >looks like there's a bug when ypserv is acting as a slave server. That (latter) depends on the master server. It's likely that the man page is (at least) confusing in such a case. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator Desk: 650/577-7158 TIE: 8/499-7158 Cell: 650/759-0823 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message