[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

=?Windows-1255?b?5PDj5e8=?= : Re: äðãåï : Re : What did I do right?




Well, may ypcat truely reviels the shadow password list (and you can read
it with a sniffer), but what about authentification?
Maybe while authenticating users, only the master server compares the user
password with the password list on its local machine and just returns a
yes/no reply? (Sort of an opposite challenge/respone mechanism)

Anyway, shadow passwords are supposed to be tough to crack, aren't they?


                                                                                                     
                                      אל :   ILUG <linux-il@cs.huji.ac.il>                           
                                                                                                     
                                     העתק:                                                           
                                                                                                     
                                                                                                     
                                                                                                     
               Alex Shnitman        נושא :   Re: äðãåï: Re: What did I do right?                     
               <alexsh@hectic.net>                                                                   
               נשלח על-ידי:                                                                          
               linux-il-bounce@                                                                      
               cs.huji.ac.il                                                                         
                                                                                                     
                                                                                                     
               08/10/99 16:51                                                                        
                                                                                                     
                                                                                                     




On Fri, Oct 08, 1999 at 03:55:56PM +0200, guy keren wrote:

> > The client machine had to be configured to use shadow passwords in
order to
> > correcly authenticate users.
> > For the second point - I've added a new user on the master machine
named
> > "test" that didn't exist on either of them. This was my test case all
> > along.
>
> then this means that the shadow passwords are being transfered over the
> network from the NIS master to the client. this means that any sniffer
can
> catch the (encrypted) passwords and try to crask them, or any user can
try
> to ypcat the shaddow passwords map . the puts a lot of light on your
> shadowed passwords - does it not? how does NIS protect you from these
> types of attacks?

I don't know how exactly his configuration works, but FWIW if you're
using shadow passwords from a Solaris server, a user cannot ypcat
passwd.adjunct, only root can. And if you're going to authenticate
users from a central service on the network, be it NIS or anything
else, how can you prevent the sniffing problem? Short of using
something totally different a la Kerberos, you can't. (Am I right that
Kerberos uses a challenge-response scheme that alleviates the sniffing
problem?)


--
Alex Shnitman                            | http://www.debian.org
alexsh@hectic.net, alexsh@linux.org.il   +-----------------------
http://alexsh.hectic.net    UIN 188956    PGP key on web page
       E1 F2 7B 6C A0 31 80 28  63 B8 02 BA 65 C7 8B BA

The best way to accelerate a Windows NT server is at 9.8 m/s^2.
           -- Shaul Rosenzweig
(See attached file: att0zzr0.dat)

=?UTF-8?B?YXR0MHp6cjAuZGF0?=