The problem:
> I have been charged with implementing the concept of
> a "shadow" password file for all our workstations.
>
>
> Our current setup:
>
> 1) We rely exclusively on NIS.
> 2) We run both SunOS 4.1.[3|4] and Solaris 2.4
> 3) Our current NIS master is a SunOS 4.1.3 box.
>
> 4) We have a smattering of AIX, HPUX and IRIX machines.
>
> Our needs:
>
> - To make the passwords inaccessible to a crack program - ie.
> any publicly readable password files
> must not contain passwords and
> any networked password files - ( read NIS passwd
> database) must not contain the passwords.
>
> Commercial and/or shareware/freeware solutions would be
> greatly appreciated. I could use any help as I do not know
> where to begin.
>
The answer to the question:
There wasn't a very satisfactory (easy/cheap/doable)
answer given.
For Suns, it was suggested running C2 security on a 4.1.x machine and
then serving out NIS.
An alternative was running NIS+.
Noone suggested a plan for all the platforms or would say that they
had something working across all platforms.
If I get the resources, I may try NIS+ across all the platforms to
see if this works. (When all the OS's support NIS+).
Other Issues:
Sniffing:
We are well aware of the capability to sniff passwords off our
network. Making the password unreachable via a shadow
password file will not solve this
problem. As was pointed out, passwords - encrypted or not -
will travel the wire, can be captured and read or cracked.
This person suggested something like SecureId. We already
use this in a limited capacity for selected machines.
We are scheming on implementing
this, but I don't know if it will go anywhere.
From: fetrow@biostat.washington.edu
" That is of limited use; if someone is running a password sniffer
an your subnet you are screwed even WITH shadow passwords (as the
passwords go by on the network they are sniffer and emailed [or
otherwise sent] to the cracker elsewhere. Note that Suns, as
factory configured, are really EXCELLENT password sniffers).
What you really want is something like skey or SecureID which
implement "1 time passwords"; passwords that can be used only once.
Skey is non-commercial from AT&T and you can get source for free
(A fully open similar scheme is being worked on). The downside is
you need a portable PC to generate the passwords (or carry a slip
of paper with the passwords). SecureID is slicker; you carry a credit-card
sized doohicky that generates the 1 time passwords. It costs money."
Cracking:
Use crack to break the passwords - get people to change their
password based on cracks results.
Passwd+ or npasswd:
Programs that force people to choose good passwords.
The last time I checked, they didn't support NIS or NIS+.
I may reinvestigate.
Use something like Kerberos to encrypt the traffic:
Final Thoughts:
As far as I can tell, something like SecureID is the only 100% solution.
Perhaps, Kerberos is also, but I have no experience with it.
Crack, passwd+, NIS+ .... may reduce the exposure, but they do not
eliminate it.
In its primitive form, this is basically risk management and one
has to decide how much to pay, in money and time, for how much
insurance.
Yes, I am 1/2 slovak but do not speak slovak.
My return address only gets propagated incorrectly through this
mailing list (as far as I can tell ). I think it has
something to do with parentheses in the gecos field.
Thanks to all those who responded, and have a great day.
Responders:
hendefd@mail.auburn.edu
jamesm@matrix.newpaltz.edu
eclrh@sun.leeds.ac.uk
sunlist@mendel.UCSC.EDU
mmyers@willamette.edu
fetrow@biostat.washington.edu
perryh@pluto.rain.com
misik@alpha.dcs.fmph.uniba.sk
grobi@uni-paderborn.de
If I left you out, it was by mistake.
Paul
******************************************************************************
Paul Slezak z85030@uprc.com
Union Pacific Resources (817)-877-6061
P.O. Box 7 M.S. 2806 FAX: (817)-877-6598
Fort Worth, TX 76101
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:29 CDT