[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: äðãåï: Re: What did I do right?
On Fri, Oct 08, 1999 at 03:55:56PM +0200, guy keren wrote:
> > The client machine had to be configured to use shadow passwords in order to
> > correcly authenticate users.
> > For the second point - I've added a new user on the master machine named
> > "test" that didn't exist on either of them. This was my test case all
> > along.
>
> then this means that the shadow passwords are being transfered over the
> network from the NIS master to the client. this means that any sniffer can
> catch the (encrypted) passwords and try to crask them, or any user can try
> to ypcat the shaddow passwords map . the puts a lot of light on your
> shadowed passwords - does it not? how does NIS protect you from these
> types of attacks?
I don't know how exactly his configuration works, but FWIW if you're
using shadow passwords from a Solaris server, a user cannot ypcat
passwd.adjunct, only root can. And if you're going to authenticate
users from a central service on the network, be it NIS or anything
else, how can you prevent the sniffing problem? Short of using
something totally different a la Kerberos, you can't. (Am I right that
Kerberos uses a challenge-response scheme that alleviates the sniffing
problem?)
--
Alex Shnitman | http://www.debian.org
alexsh@hectic.net, alexsh@linux.org.il +-----------------------
http://alexsh.hectic.net UIN 188956 PGP key on web page
E1 F2 7B 6C A0 31 80 28 63 B8 02 BA 65 C7 8B BA
The best way to accelerate a Windows NT server is at 9.8 m/s^2.
-- Shaul Rosenzweig
PGP signature