Re: NIS security advisory : password method downgrade

[darren.moffat () SUNUK UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)]

>       The dish of the day is the Yellow Pages/NIS (NYS?) suite
> shipped with the pristine RedHat 6.1. After a standard blank installation
> the rpc.yppasswd (when used via ypasswd by  domain lusers from all over the
> place) shamelessly uses the old (deprecated?) 8-character-limited des

This is required to make it NIS(YP) otherwise it won't be able to
interoperate with other systems running NIS.  The md5 and other
alternate passwords are Linux/BSD extensions to the password table/map
that are not available in a lot of other UNIX systems.  Handing out md5
encrypted passwords means that is no longer NIS(YP) but some Linux
extension - if a commercial vendor did this lots of people would
complain about proprietary incompatible extensions to an open protocol.

It would be much better to run NIS+ or LDAP as your naming service if
you are concerned about people running password crackers over your
passwd table/map.  NIS+ and LDAP allow you to control which users can
actually see the encrypted password when a getpw*() call is made.  This
can be done because they have the concept of row & column permissions
much like a standard UNIX filesystem.

NIS has several other fundamental security short comings that have been
solved in NIS+ and other more modern naming services.  If you are
concerned about security of your naming service you really shouldn't be
using NIS at all.

> place) shamelessly uses the old (deprecated?) 8-character-limited des
> password encryption, butt-slapping the idea of site security and
> raising from their graves old pwcracks and John the Rippers that
> could easily bruteforce into your password files. Thus your new shiny
md5 >crypted shadow is gone, and the 8-chars passwords are back.

Secondly the encryption algorithm used in traditional UNIX passwords is
not itself limited to 8-chars.  Traditionally passwords in UNIX were
limited to 8-chars because login and friends called getpass() which is
defined to return a string of 8-chars + null.  Now Solaris, Linux and
possibly others use PAM and the PAM conversation functions tend to call
getpassphrase() or other functions (possibly GUIs) that make the new
limit 256-chars.

In summary I suggest that the Linux ypserv/rpc.yppasswd is not changed
to do this by default and it if it changed then it is made clear to
the admin when it is setup that enabling such a feature means they are
nolonger running traditional NIS(YP) and interoperability with other
systems will probably be broken and this is because they have enabled
this non standard extension.

--
Darren J Moffat