From owner-freebsd-security Tue Sep 12 17:48:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from minotaur.labyrinth.net.au (minotaur.labyrinth.net.au [203.9.148.2]) by hub.freebsd.org (Postfix) with ESMTP id 7396737B423 for ; Tue, 12 Sep 2000 17:48:24 -0700 (PDT) Received: from cows (sean.lab.office.labyrinth.net.au [203.9.148.76]) by minotaur.labyrinth.net.au (8.9.3/8.9.3) with SMTP id LAA85678; Wed, 13 Sep 2000 11:48:05 +1100 (EST) Message-ID: <009d01c01d1c$47795e40$4c9409cb@labyrinth.net.au> From: "Sean Winn" To: "Peter Avalos" , "Cy Schubert - ITSD Open Systems Group" Cc: "freebsd-security@FreeBSD. ORG" References: Subject: Re: ypserv giving out encrypted passwords Date: Wed, 13 Sep 2000 11:48:05 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 11:45 sean@sentinel [~] ypwhich typhoon.sub.net.au 11:45 sean@sentinel [~] uname -a FreeBSD sentinel.sub.net.au 3.4-STABLE FreeBSD 3.4-STABLE #0: Fri Jun 2 15:53:3 9 EST 2000 sean@sentinel.sub.net.au:/usr/src/sys/compile/SENTINEL i386 11:45 sean@sentinel [~] ypmatch sean master.passwd ypmatch: can't match key sean in map master.passwd.byname. reason: YP server error 11:45:46.981753 sentinel.sub.net.au.1318 > typhoon.sub.net.au.1021: udp 84 11:45:46.982734 typhoon.sub.net.au.1021 > sentinel.sub.net.au.1318: udp 32 typhoon is a slave server. ----- Original Message ----- From: "Peter Avalos" To: "Cy Schubert - ITSD Open Systems Group" Cc: "freebsd-security@FreeBSD. ORG" Sent: Wednesday, September 13, 2000 3:12 AM Subject: RE: ypserv giving out encrypted passwords > This is the way I want my server to work ;) I'm assuming that your ypserv is > a master. So my next questions are: > > 1. Does anyone who's running ypserv as a slave get the documented results? > > 2. Why is there a difference between a slave server and master server when > dealing with the master.passwd.* maps? > > > Your help is appreciated, > > Peter Avalos > TheShell.com > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M- > V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++ > ------END GEEK CODE BLOCK------ > > -----Original Message----- > From: cy@uumail.gov.bc.ca [mailto:cy@uumail.gov.bc.ca]On Behalf Of Cy > Schubert - ITSD Open Systems Group > Sent: Tuesday, September 12, 2000 9:53 AM > To: Peter Avalos > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: ypserv giving out encrypted passwords > > > In message m>, Pet > er Avalos writes: > > > > > > On Tue, 12 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote: > > > > > In message , "Peter > > > Avalos" > > > writes: > > > > I'm running ypserv as a slave and ypbind on a 4.1-S machine. > > > > > > > > Snip from ypserv(8) manpage: > > > > > > > > To make up for this, the FreeBSD version of ypserv handles the > > > > master.passwd.byname and master.passwd.byuid maps in a special > way. > > > > When > > > > the server receives a request to access either of these two maps, > it > > > > will > > > > check the TCP port from which the request originated and return > an > > > > error > > > > if the port number is greater than 1023. Since only the > superuser i > > s > > > > al- > > > > lowed to bind to TCP ports with values less than 1024, the server > ca > > n > > > > use > > > > this test to determine whether or not the access request came > from a > > > > privileged user. Any requests made by non-privileged users are > > > > therefore > > > > rejected. > > > > > > > > This sounds like a wonderful thing, but why only tcp? I don't want > people > > to > > > > ypcat master.passwd and get all the encrypted passwords on my system. > I > > > > verified that a ypmatch uses udp on a port >1023 witch tcpdump: > > > > > > > > ypmatch pavalos master.passwd > > > > > pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash > > > > 06:35:27.149969 lithium.theshell.com.stun-port > > lithium.theshell.com.778 > > : > > > > udp 88 > > > > 06:35:27.150136 lithium.theshell.com.778 > > lithium.theshell.com.stun-port > > : > > > > udp 108 > > > > > > > > stun-port 1994/udp #cisco serial tunnel port > > > > > > > > So my question is: Is this a configuration error, or a 'feature' > (bug)? > > > > > > I was unable to recreate your problem here at home (the only place I do > > > use YP). Tcpdump showed that appropriate ports were used when root or > > > non-root made issued the request. Are you sure you weren't root or > > > that ypmatch wasn't setuid root on the client system? > > > > > > > > > > The correct ports are being used. My issue is that a request from a > > non-root user (port >1023) gives out the encrypted password. According to > > the manpage, any request from tcp port >1023 will be denied for > > master.passwd.* maps. This seems like its logic is half-correct. My > > question is why is is only tcp since these yp requests are over udp? > > cwtest$ ypmatch foobar master.passwd.byname > ypmatch: can't match key foobar in map master.passwd.byname. reason: YP > server error > cwtest$ > > 07:42:36.590581 cwtest.1308 > cwsys.1021: udp 92 > 07:42:36.615668 cwsys.1021 > cwtest.1308: udp 32 > > cwtest# ypmatch foobar master.passwd.byname > foobar:$1$foobar's_password:62361:62361::0:0:Foobar > User,,,:/home/foobar:/bin/bash > cwtest# > > 07:43:06.646153 cwtest.657 > cwsys.1021: udp 92 > 07:43:06.647523 cwsys.1021 > cwtest.657: udp 128 > > Foobar was substituted for the real username to protect the innocent in > my example above, e.g. this is real output except for my editing out > the real username. > > >From what I can tell, it works as documented on a 4.1 system. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message