[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
=?Windows-1255?b?5PDj5e8=?= : Re: äðãåï : Re : What did I do right?
Well, may ypcat truely reviels the shadow password list (and you can read
it with a sniffer), but what about authentification?
Maybe while authenticating users, only the master server compares the user
password with the password list on its local machine and just returns a
yes/no reply? (Sort of an opposite challenge/respone mechanism)
Anyway, shadow passwords are supposed to be tough to crack, aren't they?
אל : ILUG <linux-il@cs.huji.ac.il>
העתק:
Alex Shnitman נושא : Re: äðãåï: Re: What did I do right?
<alexsh@hectic.net>
נשלח על-ידי:
linux-il-bounce@
cs.huji.ac.il
08/10/99 16:51
On Fri, Oct 08, 1999 at 03:55:56PM +0200, guy keren wrote:
> > The client machine had to be configured to use shadow passwords in
order to
> > correcly authenticate users.
> > For the second point - I've added a new user on the master machine
named
> > "test" that didn't exist on either of them. This was my test case all
> > along.
>
> then this means that the shadow passwords are being transfered over the
> network from the NIS master to the client. this means that any sniffer
can
> catch the (encrypted) passwords and try to crask them, or any user can
try
> to ypcat the shaddow passwords map . the puts a lot of light on your
> shadowed passwords - does it not? how does NIS protect you from these
> types of attacks?
I don't know how exactly his configuration works, but FWIW if you're
using shadow passwords from a Solaris server, a user cannot ypcat
passwd.adjunct, only root can. And if you're going to authenticate
users from a central service on the network, be it NIS or anything
else, how can you prevent the sniffing problem? Short of using
something totally different a la Kerberos, you can't. (Am I right that
Kerberos uses a challenge-response scheme that alleviates the sniffing
problem?)
--
Alex Shnitman | http://www.debian.org
alexsh@hectic.net, alexsh@linux.org.il +-----------------------
http://alexsh.hectic.net UIN 188956 PGP key on web page
E1 F2 7B 6C A0 31 80 28 63 B8 02 BA 65 C7 8B BA
The best way to accelerate a Windows NT server is at 9.8 m/s^2.
-- Shaul Rosenzweig
(See attached file: att0zzr0.dat)
=?UTF-8?B?YXR0MHp6cjAuZGF0?=