Bugtraq mailing list archives
Re: NIS security advisory : password method downgrade
From: darren.moffat () SUNUK UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)
Date: Mon, 24 Jan 2000 11:40:03 +0000
The dish of the day is the Yellow Pages/NIS (NYS?) suite shipped with the pristine RedHat 6.1. After a standard blank installation the rpc.yppasswd (when used via ypasswd by domain lusers from all over the place) shamelessly uses the old (deprecated?) 8-character-limited des
This is required to make it NIS(YP) otherwise it won't be able to interoperate with other systems running NIS. The md5 and other alternate passwords are Linux/BSD extensions to the password table/map that are not available in a lot of other UNIX systems. Handing out md5 encrypted passwords means that is no longer NIS(YP) but some Linux extension - if a commercial vendor did this lots of people would complain about proprietary incompatible extensions to an open protocol. It would be much better to run NIS+ or LDAP as your naming service if you are concerned about people running password crackers over your passwd table/map. NIS+ and LDAP allow you to control which users can actually see the encrypted password when a getpw*() call is made. This can be done because they have the concept of row & column permissions much like a standard UNIX filesystem. NIS has several other fundamental security short comings that have been solved in NIS+ and other more modern naming services. If you are concerned about security of your naming service you really shouldn't be using NIS at all.
place) shamelessly uses the old (deprecated?) 8-character-limited des password encryption, butt-slapping the idea of site security and raising from their graves old pwcracks and John the Rippers that could easily bruteforce into your password files. Thus your new shiny
md5 >crypted shadow is gone, and the 8-chars passwords are back. Secondly the encryption algorithm used in traditional UNIX passwords is not itself limited to 8-chars. Traditionally passwords in UNIX were limited to 8-chars because login and friends called getpass() which is defined to return a string of 8-chars + null. Now Solaris, Linux and possibly others use PAM and the PAM conversation functions tend to call getpassphrase() or other functions (possibly GUIs) that make the new limit 256-chars. In summary I suggest that the Linux ypserv/rpc.yppasswd is not changed to do this by default and it if it changed then it is made clear to the admin when it is setup that enabling such a feature means they are nolonger running traditional NIS(YP) and interoperability with other systems will probably be broken and this is because they have enabled this non standard extension. -- Darren J Moffat
Current thread:
- NIS security advisory : password method downgrade Stefan Laudat (Jan 21)
- Re: NIS security advisory : password method downgrade Thorsten Kukuk (Jan 23)
- VMware 1.1.2 Symlink Vulnerability harikiri (Jan 24)
- Re: VMware 1.1.2 Symlink Vulnerability Oinos (Jan 24)
- <Possible follow-ups>
- Re: NIS security advisory : password method downgrade Darren Moffat - Solaris Sustaining Engineering (Jan 24)