Subject: Re: YP (NIS) and NetBSD
To: None <port-vax@netbsd.org>
From: None <jkunz@unixag-kl.fh-kl.de>
List: port-vax
Date: 07/08/1999 23:09:11
On  8 Jul, Aaron J. Grier wrote:

> However, isn't there a way to do shadowed passwords over NIS?  I remember
> solaris being able to do this, but maybe it's specific to NIS+.
Yes. NetBSD does it. A user can only get /etc/passwd respectively the
passwd.byname map with ypcat. /etc/master.passwd respectively the
master.passwd.byname map is only reachable via reserved ports. So ypcat
must run with root permissions to get the master.passwd.byname map. I
dont know exactly, but I think this is a special *BSD feature.

>> A litle bit of crack and ...
>=20
> So people can't brute force crack the root password, but they can still
> brute force a user account, and leverage a root account from there.
Sure. But the wall is higher in the last case.

> Agreed, this is better than being able to attack the root password
> directly, but there has got to be a more secure solution. =20
BTW: What is Kerberos? Is there a FAQ? There is somthing in
/etc/inetd.conf, but there is no /usr/libexec/kpasswdd, no man pages,
...
--=20



tsch=FC=DF,
         Jochen

Homepage: http://www.unixag-kl.fh-kl.de/~jkunz/