From owner-freebsd-security Tue Sep 12 11:32:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 7B99637B422 for ; Tue, 12 Sep 2000 11:32:50 -0700 (PDT) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id e8CIWdO05060; Tue, 12 Sep 2000 11:32:39 -0700 Date: Tue, 12 Sep 2000 11:32:39 -0700 From: Brooks Davis To: Peter Avalos Cc: David Wolfskill , "freebsd-security@FreeBSD. ORG" Subject: Re: ypserv giving out encrypted passwords Message-ID: <20000912113239.B31617@Odin.AC.HMC.Edu> References: <200009121503.IAA31586@pau-amma.whistle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from pavalos@theshell.com on Tue, Sep 12, 2000 at 11:20:22AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 12, 2000 at 11:20:22AM -0500, Peter Avalos wrote: > Why? That just doesn't make sense to me. The master has to give the whole > map to the slave, and the slave server should still be acting as a server. > It shouldn't be dealing out the encrypted passwords to non-privileged ports. You're mistaking NIS for an inteligent protocol. ;-) NIS does one thing and one thing only. Given the name of a domain and the name of a map within that name it returns one or more request name value pairs from that map. It does nothing else and has no symantic knowledge of those name value pairs. FreeBSD appears to have a hack to implement shadow passwd support, but it's definatly a non-standard hack. The security model for NIS consists of two things being able to connect to the server and knowing the domain. That's it. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message