Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Aug 2001 09:51:32 -0400 (EDT)
From:      <rsavage@nandomedia.com>
To:        dannyman <dannyman@toldme.com>
Cc:        <questions@FreeBSD.org>
Subject:   Re: NIS in FreeBSD
Message-ID:  <Pine.LNX.4.33.0108070949030.22536-100000@ripley.nandomedia.com>
In-Reply-To: <20010807014312.A14813@toldme.com>

next in thread | previous in thread | raw e-mail | index | archive | help

I beg to differ!  I just setup and tested two FreeBSD 4.3 machines.  One
as a master NIS server, and the other as a NIS client.  When I changed my
user's password on the client, I saw the "clear-text" password while I was
sniffing the box.  Did I do something diffrently?  Or not complete?

-R


On Tue, 7 Aug 2001, dannyman wrote:

> On Mon, Aug 06, 2001 at 12:05:36PM -0400, rsavage@nandomedia.com wrote:
> > I don't know who is the proper person to ask this question, so I will
> > simply ask you.  Do you know is the NIS provided with FreeBSD sends
> > "clear-text" passwords over the network at any given time?  Thanks.
>
> FreeBSD-questions is a mailing list that any number of people might
> read.  One of us might answer your question.
>
> In your case, NIS does not send clear-text passwords over the network.
> NIS sends out passwords translated in to an encrypted string via a
> one-way algorithm.  The NIS client encrypts the password that the user
> supplies, and if it is the same as the encrypted string on the NIS
> master, then the NIS client knows that password is correct.
>
> The weakness is that as cryptographic theory and CPU power advance, it
> becomes easier to set computers up to run through likely passwords,
> encrypting them in to the encrypted password string sent in your NIS.
> For this reason, most modern Unix systems treat the encrypted passwords
> as trusted local information.  NIS requires this information to go over
> the network.
>
> If you are concerned about security, and you use NIS, you should have a
> password policy that says users should change their passwords every so
> often, and that they need to be more difficult to guess than simple
> dictionary words, and the like.  You may also want to test more secure
> password hash algorithms.  For example, NIS implementations have
> historically used DES encryption to share passwords.  The MD5 encryption
> scheme that FreeBSD uses, by default, is harder to run through, in this
> manner.
>
> If your NIS system consists of only FreeBSD hosts, you can make it so
> that encrypted passwords don't go over the network either.  I'm not
> sure how this works, so you should RTFM if you are interested in this.
> In a heterogeneous environment, you might consider alternatives like
> LDAP over SSL, or Kerberos.  There is also NIS+, but anyone I've ever
> asked has told me that it is too silly to consider.
>
> -danny
>
>

-- 
Rory Savage, Senior Systems Administrator
Nando Media: www.nandomedia.com
email: rsavage@nandomedia.com
919-836-5987 (Office)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0108070949030.22536-100000>