Subject: Re: pseudo-shadowing of passwords with ypserv?
To: None <>
From: Michael C. Richardson <>
List: tech-net
Date: 10/06/1998 21:53:20
>>>>> "Havard" == Havard Eidnes <> writes:

    >> Let me (at least partially) object: making the occasional screen lock
    >> program fail, is a security problem, too. What do xlock{,more} do?
    >> lock?  (That are the in-tree programs that come into my mind). They,
    >> at least, should be able to deal with this.

    Havard> Install lock program suid-root, and this particular problem is
    Havard> gone.  It just might invite a few new ones, but hey! ;-)

    Havard> Isn't this the solution one has to resort to in NetBSD in a
    Havard> non-NIS environment anyway to get access to the master password
    Havard> file?  The code path to snarf the crypted strings out of the NIS
    Havard> map or the master password and then relinquishing the root privs
    Havard> should not be that difficult to inspect for security problems
    Havard> caused by making the program suid-root?

  This should be a standard program that we have: /bin/checkpass or
something. It can do the appropriate sleep if fail, etc.. I'd run it 
in a loop:
	for i in 0 1 2 3 4 5 6 7 8 9
	do checkpass

  After changing password so that I'd be sure that I'd put it in my brain

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
	ON HUMILITY: To err is human, to moo bovine.