From owner-freebsd-security  Tue Sep 12 10:23:28 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id B970637B424
	for <freebsd-security@FreeBSD.ORG>; Tue, 12 Sep 2000 10:23:20 -0700 (PDT)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA21972;
	Tue, 12 Sep 2000 10:22:43 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda21967; Tue Sep 12 10:22:25 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id KAA33350;
	Tue, 12 Sep 2000 10:22:25 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdi33348; Tue Sep 12 10:22:03 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.0/8.9.1) id e8CHM3070153;
	Tue, 12 Sep 2000 10:22:03 -0700 (PDT)
Message-Id: <200009121722.e8CHM3070153@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdo70149; Tue Sep 12 10:22:02 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.1-RELEASE
X-Sender: cy
To: "Peter Avalos" <pavalos@theshell.com>
Cc: "Cy Schubert - ITSD Open Systems Group" <Cy.Schubert@uumail.gov.bc.ca>,
	"freebsd-security@FreeBSD. ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: ypserv giving out encrypted passwords 
In-reply-to: Your message of "Tue, 12 Sep 2000 11:12:46 CDT."
             <AAEMIFFLKPKLAOJHJANHOEKMCEAA.pavalos@theshell.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 12 Sep 2000 10:22:02 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <AAEMIFFLKPKLAOJHJANHOEKMCEAA.pavalos@theshell.com>, "Peter 
Avalos"
writes:
> This is the way I want my server to work ;) I'm assuming that your ypserv is
> a master. So my next questions are:
> 
> 1. Does anyone who's running ypserv as a slave get the documented results?
> 
> 2. Why is there a difference between a slave server and master server when
> dealing with the master.passwd.* maps?
> 
> 
> Your help is appreciated,

My only YP installation is at home.  Sorry, I have no slave.  I don't 
use YP at work.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC

> 
> Peter Avalos
> TheShell.com
> 
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M-
> V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++
> ------END GEEK CODE BLOCK------
> 
> -----Original Message-----
> From: cy@uumail.gov.bc.ca [mailto:cy@uumail.gov.bc.ca]On Behalf Of Cy
> Schubert - ITSD Open Systems Group
> Sent: Tuesday, September 12, 2000 9:53 AM
> To: Peter Avalos
> Cc: freebsd-security@FreeBSD.ORG
> Subject: Re: ypserv giving out encrypted passwords
> 
> 
> In message <Pine.LNX.4.21.0009120724330.23278-100000@arsenic.theshell.co
> m>, Pet
> er Avalos writes:
> >
> >
> > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote:
> >
> > > In message <AAEMIFFLKPKLAOJHJANHOEKECEAA.pavalos@theshell.com>, "Peter
> > > Avalos"
> > > writes:
> > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine.
> > > >
> > > > Snip from ypserv(8) manpage:
> > > >
> > > >      To make up for this, the FreeBSD version of ypserv handles the
> > > >      master.passwd.byname and master.passwd.byuid maps in a special
> way.
> > > > When
> > > >      the server receives a request to access either of these two maps,
> it
> > > > will
> > > >      check the TCP port from which the request originated and return
> an
> > > > error
> > > >      if the port number is greater than 1023.  Since only the
> superuser i
> > s
> > > > al-
> > > >      lowed to bind to TCP ports with values less than 1024, the server
> ca
> > n
> > > > use
> > > >      this test to determine whether or not the access request came
> from a
> > > >      privileged user.  Any requests made by non-privileged users are
> > > > therefore
> > > >      rejected.
> > > >
> > > > This sounds like a wonderful thing, but why only tcp? I don't want
> people
> >  to
> > > > ypcat master.passwd and get all the encrypted passwords on my system.
> I
> > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump:
> > > >
> > > > ypmatch pavalos master.passwd
> > > >
> pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash
> > > > 06:35:27.149969 lithium.theshell.com.stun-port >
> lithium.theshell.com.778
> > :
> > > > udp 88
> > > > 06:35:27.150136 lithium.theshell.com.778 >
> lithium.theshell.com.stun-port
> > :
> > > > udp 108
> > > >
> > > > stun-port       1994/udp   #cisco serial tunnel port
> > > >
> > > > So my question is: Is this a configuration error, or a 'feature'
> (bug)?
> > >
> > > I was unable to recreate your problem here at home (the only place I do
> > > use YP).  Tcpdump showed that appropriate ports were used when root or
> > > non-root made issued the request.  Are you sure you weren't root or
> > > that ypmatch wasn't setuid root on the client system?
> > >
> > >
> >
> > The correct ports are being used. My issue is that a request from a
> > non-root user (port >1023) gives out the encrypted password. According to
> > the manpage, any request from tcp port >1023 will be denied for
> > master.passwd.* maps. This seems like its logic is half-correct. My
> > question is why is is only tcp since these yp requests are over udp?
> 
> cwtest$ ypmatch foobar master.passwd.byname
> ypmatch: can't match key foobar in map master.passwd.byname. reason: YP
> server error
> cwtest$
> 
> 07:42:36.590581 cwtest.1308 > cwsys.1021:  udp 92
> 07:42:36.615668 cwsys.1021 > cwtest.1308:  udp 32
> 
> cwtest# ypmatch foobar master.passwd.byname
> foobar:$1$foobar's_password:62361:62361::0:0:Foobar
> User,,,:/home/foobar:/bin/bash
> cwtest#
> 
> 07:43:06.646153 cwtest.657 > cwsys.1021:  udp 92
> 07:43:06.647523 cwsys.1021 > cwtest.657:  udp 128
> 
> Foobar was substituted for the real username to protect the innocent in
> my example above, e.g. this is real output except for my editing out
> the real username.
> 
> >From what I can tell, it works as documented on a 4.1 system.
> 
> 
> Regards,                       Phone:  (250)387-8437
> Cy Schubert                      Fax:  (250)387-5766
> Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD, ISTA
> Province of BC
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message