> After finally getting around to changing my NIS setup to keep passwds
> in the passwd.adjunct file I've discovered that it's still possible
> for NIS clients to retrieve my encrypted passwords.
Thank you all for the quick and concise responses.
Casper Dik <Casper.Dik@holland.sun.com>
Stephen Johnston <sjohnsto@eso.org>
Chris Tilbury <Chris.Tilbury@warwick.ac.uk>
Jim Matthews <j.w.matthews@home.com>
Gabriel Rosenkoetter <gr@cs.swarthmore.edu>
Mark Hargrave <hargrme@wisdom.maf.nasa.gov>
Mike Salehi <mike.salehi@kodak.com>
The answer is quite straightforward as everybody has pointed out.
With the passwd.adjunct file in place the ypserver ONLY responds
to client requests originating from a priveledged ports (0-1023).
This just blocks users processes from getting the encrypted passwords.
The NIS server must provide the passwords to a root process
otherwise there would be no way for the client to verify the
cleartext taken in by login process.
This is why:
[ROOT@client] ypmatch -k USER passwd.adjunct.byname
gets me USER's encrypted password from the passwd table, and
[USER@nis-client] ypmatch -k USER passwd.adjunct.byname
fails with a "Reason: No such map in server's" error.
Alan
+--------------------------------------------------------------------+
| Alan Miller BinTec Commmunications AG |
| System/Network Administrator Südwestpark 94 |
| Voice: +49 911 96 73 14 55 D-90449, Nürnberg |
| Fax: +49 911 96 73 14 99 Germany |
| mailto:alan@bintec.de http://www.BinTec.de |
+--------------------------------------------------------------------+
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:18 CDT