Subject: Re: YP (NIS) and NetBSD
To: None <>
From: Aaron J. Grier <>
List: port-vax
Date: 07/08/1999 10:21:43
On Mon, Jul 05, 1999 at 10:08:30PM +0200, wrote:

> In a unsecure network environment I HIGHLY recommend to copy
> /etc/passwd and /etc/master.passwd to /var/yp and delete all entries
> that do not belong to ordinary users. Especial you should delete the
> line of the root account.

Yes, a good idea.

> The problem is that the whole /etc/master.passwd will be exported
> over the network and every user can get the encrypted passwds by typing
> 'ypcat passwd'.

However, isn't there a way to do shadowed passwords over NIS?  I remember
solaris being able to do this, but maybe it's specific to NIS+.

> A litle bit of crack and ...

So people can't brute force crack the root password, but they can still
brute force a user account, and leverage a root account from there.
Agreed, this is better than being able to attack the root password
directly, but there has got to be a more secure solution.  (Not that I'm
terribly worried about stack smash exploits on my DECStations or VAXen,
but it seems that in the unix world, NIS and NFS still remain two of
the largest security problems...)

  Aaron J. Grier  | "Not your ordinary poofy goof." |
   "I really admire your perverse mastery of the SPARC branch delay slot,
      Dave.  Or is it your mastery of the perverse branch delay slot?"
	          -- Joe Martin to Dave S. Miller on linux-kernel