SUMMARY: NIS Question

From: Matthew Atkinson (m.atkinson@csl.gov.uk)
Date: Mon May 22 2000 - 07:29:19 CDT


Dear All,

Firstly thanks ot everyone who answered my question about whether you
could hide the passwords in NIS so that users could not run cracker on
the password file (which I know would reveal a number of passwords on
my system).

I won't mention everyone's name, because there were an awful lot of
you, but thanks anyway. Particular thanks to David Lee of Durham
University, who gave me a very good description of what to do.

Basically, you can prevent casual snooping of the passwd NIS map, by
creating a file called security/passwd.adjunct in your NIS source
directory. This needs to contain either a copy of your shadow file, or
can actually replace it. David Lee copies his shadow into this file
every time he runs make, but I found that simply mv'ing shadow to
security/passwd.adjunct does the same thing.

Once you've done this, (which seemed to need a destruction and re-
creation of the NIS domain to work), a ypcat passwd just gives ##
followed by the username instead of the encrypted password. Just
what I wanted!

However, there are two caveats which were pointed out to me:-

1. If you're root on any machine, a ypcat passwd.adjunct.byname will
   still reveal the passwords. Remembering that NIS does not require
   authentication before it gives out its names, means that someone
   could set up their own Unix box and do this.

2. Passwords are sent in plain text over the network, so anyone
   snooping will be able to see them.

I'm not bothered about number 1, because people here don't do things
like that without our knowledge (fortunately). Number 2 is not really a
particular concern, and 90% of our network is switched, so snooping is
a fairly pointless process unless you could snoop on the NIS server,
which can only be achieved by root.

All I need to do now is to sort out using Solstice AdminSuite to add
users etc., as this doesn't seem to work for NIS under 2.6, giving me
the /etc files instead. Once this is working, we can swap from NIS+ to
NIS, and let our other unix boxes join in the fun.

If you can live with the security considerations, NIS is miles, miles
easier to administer than NIS+, even when you're used to NIS. A basic
setup, including testing with a Linux box, took me about 2 hours.

Anyone with insights into the AdminSuite problem would be gladly
received! I'll post another summary if I get any interesting answers.

Matthew.

-- 
-------------------------------------------------------------------
Matthew Atkinson                      Phone:  +44 (0) 1904 462120
Unix Systems Manager                  Fax:    +44 (0) 1904 462111
Information Systems Team
Central Science Laboratory            E-mail: m.atkinson@csl.gov.uk
Sand Hutton, York, YO41 1LZ, England  Web:    http://www.csl.gov.uk
-------------------------------------------------------------------



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:08 CDT