Date: Wed, 20 Nov 1996 10:01:16 -0500 From: jc@irbs.com (John Capo) To: gpalmer@freebsd.org (Gary Palmer) Cc: jbh@netpci.com (Justin Harvey), michael@memra.com (Michael Dillon), freebsd-isp@freebsd.org Subject: Re: Stupid question no 10101 Message-ID: <Mutt.19961120100116.jc@irbs.com> In-Reply-To: <7065.848474532@orion.webspan.net>; from Gary Palmer on Nov 20, 1996 02:22:12 -0500 References: <Pine.BSF.3.91.961115145434.23937D-100000@delenn.netpci.com> <7065.848474532@orion.webspan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Gary Palmer (gpalmer@freebsd.org):
>
> Try sharing your password file with NIS. Basically, if you use plain
> old NIS, it publishes your password file (or at least the passwords of
> your users) to anyone who cares to look (I've been told that there is
> some program called `ypghost' which lets people do this). I, for one,
> don't want my users passwords disseminated to anyone who wants an easy
> back-door into our system.
>
ypghost works by having access to the wire via bpf.
http://tachyon.mono.org/~arny/progs/ypghost/WHATISTHIS
Ypxfr can snarf a password file too if it is running as root and
the server is not protected via filters and/or tcp_wrappers. Access
to the wire is not needed.
> (and, yes, I have thought of using an access list (aka packet filter)
> on our Cisco gateway, but access lists can be bypassed, and it still
> leaves it open to all our shell users).
FreeBSD NIS will not deliver master.passwd.* to a request from a
unpriviledged port. Ypserv can be complied to use tcp_wrappers
also. Your shell users would have to have root or find another
hole via a setuid root program.
If your wire is not secure and you are not filtering at a router
then copying the password file via an encrypted link is your only
option.
John Capo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19961120100116.jc>