Date: Tue, 7 Aug 2001 09:51:32 -0400 (EDT) From: <rsavage@nandomedia.com> To: dannyman <dannyman@toldme.com> Cc: <questions@FreeBSD.org> Subject: Re: NIS in FreeBSD Message-ID: <Pine.LNX.4.33.0108070949030.22536-100000@ripley.nandomedia.com> In-Reply-To: <20010807014312.A14813@toldme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I beg to differ! I just setup and tested two FreeBSD 4.3 machines. One as a master NIS server, and the other as a NIS client. When I changed my user's password on the client, I saw the "clear-text" password while I was sniffing the box. Did I do something diffrently? Or not complete? -R On Tue, 7 Aug 2001, dannyman wrote: > On Mon, Aug 06, 2001 at 12:05:36PM -0400, rsavage@nandomedia.com wrote: > > I don't know who is the proper person to ask this question, so I will > > simply ask you. Do you know is the NIS provided with FreeBSD sends > > "clear-text" passwords over the network at any given time? Thanks. > > FreeBSD-questions is a mailing list that any number of people might > read. One of us might answer your question. > > In your case, NIS does not send clear-text passwords over the network. > NIS sends out passwords translated in to an encrypted string via a > one-way algorithm. The NIS client encrypts the password that the user > supplies, and if it is the same as the encrypted string on the NIS > master, then the NIS client knows that password is correct. > > The weakness is that as cryptographic theory and CPU power advance, it > becomes easier to set computers up to run through likely passwords, > encrypting them in to the encrypted password string sent in your NIS. > For this reason, most modern Unix systems treat the encrypted passwords > as trusted local information. NIS requires this information to go over > the network. > > If you are concerned about security, and you use NIS, you should have a > password policy that says users should change their passwords every so > often, and that they need to be more difficult to guess than simple > dictionary words, and the like. You may also want to test more secure > password hash algorithms. For example, NIS implementations have > historically used DES encryption to share passwords. The MD5 encryption > scheme that FreeBSD uses, by default, is harder to run through, in this > manner. > > If your NIS system consists of only FreeBSD hosts, you can make it so > that encrypted passwords don't go over the network either. I'm not > sure how this works, so you should RTFM if you are interested in this. > In a heterogeneous environment, you might consider alternatives like > LDAP over SSL, or Kerberos. There is also NIS+, but anyone I've ever > asked has told me that it is too silly to consider. > > -danny > > -- Rory Savage, Senior Systems Administrator Nando Media: www.nandomedia.com email: rsavage@nandomedia.com 919-836-5987 (Office) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0108070949030.22536-100000>