SUMMARY: Shadowing the NIS passwd file

From: vnarayan@ACC.HAVERFORD.EDU
Date: Thu Sep 16 1993 - 19:32:47 CDT


My original posting was:

Hi Sun Managers,

We have about 3500 NIS accounts and very few users are aware of the
importance of using a password that can not be cracked. Also, we do not
want to enforce restrictions on what kinds of passwords they can use
because we are moving from a VAX to an UNIX environment and we do not want
our influential-VAX-addicts to complain about UNIX. And then, we have our
bored students who like to run password crackers like COPS on yp passwd to
find crackable passwords. So we thought that hiding the encrypted
passwords in passwd.adjunct (using C2conv with out really turning on
auditing) would be a good way to deal with the situation because 'ypcat
passwd' will not show the encrypted passwords. The instructor at my Sun
Admin class said it would work and gave me instructions on how to do it.
This seemed like a good idea until I talked to a Sun Support Engineer who
told me that even if we shadowed the password, the users will be able to
access the encrypted password using 'ypcat passwd.adjunct'.

I'm interested in hearing about - 1) How have you dealt with the problem
of users running password crackers on the NIS passwd map. 2) Your thoughts
on running C2 Security in an University setting.

-----------------------------------------------------------------------------
The summary is that you can hide the NIS password file in the
passwd.adjunct file on the NIS master; the users will not be able to
access the password.adjuct file by doing 'ypcat passwd.adjunct'. I
received three very helpful responses to my posting which I'll paste after
my summary. With the help of these three responses I got the the Sun Tech
Support Engineer to discover something he did not know before! I'll paste
his mail at the bottom of this message. Sorry for the delayed summary.
Since I individually replied and thanked all the three who responded to my
posting, I took a while to post the summary.

Vasantha Narayanan
Academic Computing Center
Haverford College, PA email: vnarayan@haverford.edu

--------------------------------
Here are the responses I received:

The instructor is correct, the engineer is wrong. 'ypcat passwd.adjunct'
will never work. 'ypcat passwd.adjunct.byname' will only work for root
on a client machine. If you can ensure that your users will not be root
on the clients, you're set.

Be sure and get patch 100482-04, which helps prevents root on other machines on
the internet from getting your passwd.adjunct map.

John

--
John DiMarco                                              jdd@cdf.toronto.edu
Computing Disciplines Facility Systems Manager            jdd@cdf.utoronto.ca
University of Toronto                                     EA201B,(416)978-1928
-------------------------------------------------------------------------------

1) I made ypcat and ypmatch belong to the operator group with mode 750 .... But A wizz Kid would write his own ypcat or ypmatch or even get the sources off the net ( Yes, a free version of the clients is on the net).

I also put the yppasswd file in /var/yp/src/passwd, where src belong to root and is set to 750. This way even if they are on the ypserver they can't get at the ypfiles.

I know it's an imperfect solution in an imperfect world.

On Solaris 2 this problem is gone.

2) If you've got resources to waste ..... do it. But otherwise ....

I only played a few days with C2 so I have no real opinon on this.

Yves -- / Yves.Morin@BComeau.Hydro.Qc.CA \ We are SUN ... Resistence is futile \ Hydro Quebec, Dam safety / You will be assimilated / #define MY_OPINION TRUE \ 4.1.3 will be obsoleted \ Tel:418-294-3531 Fax:418-294-3307 / Yves Morin :) --------------------------------------------------------------------------- just do it

you must be root to get anything from ypcat passwd.adjunct as a user you get no such map in server's domain

-- #include <std/*> The Butcher Butch Deal deal@ait.nrl.navy.mil ------------------------------------------------------------------------------- Sun Engineer's final response:

Subject: RE: so#1361236 - nis security To: vnarayan@ACC.HAVERFORD.EDU

Vasandha,

Well there is egg on my face today. After checking the configuration we were able to get the behavior your friends described. ypcat and ypmatch can no longer access passwd.adjunct.byname. What I beleive has happened is the bug was fixxed and the report was not updated. Thank you for putting me straight on this issue.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:15 CDT