Hello all, I've seen that some of you noticed a lot of features about programs that downgrade the encryption method of the passwords from MD5 to DES and that should be a shame to distribution packagers. The dish of the day is the Yellow Pages/NIS (NYS?) suite shipped with the pristine RedHat 6.1. After a standard blank installation the rpc.yppasswd (when used via ypasswd by domain lusers from all over the place) shamelessly uses the old (deprecated?) 8-character-limited des password encryption, butt-slapping the idea of site security and raising from their graves old pwcracks and John the Rippers that could easily bruteforce into your password files. Thus your new shiny md5 crypted shadow is gone, and the 8-chars passwords are back. I've tested this only with RedHat 6.1 but some of you may have the opportunity to test it with other new Linux distributions and if it works please announce. To Aleph1: do not ask for a patch as in previous bounced messages, i do not intend to take part or envolve in the YP developement team as neither in the ssh team. As a full end-user I do not care about them. To everyone: protect your NIS ports as required in the ypserv config files. To NYS team: please provide patches for this, I love NIS, and do not make SuSE a RedHat clone (as it is), they both suck. To kiddies: just press delete and move along next post, you are too dumb to run a password cracker. still unemployed, -- Stefan Laudat Data Networks Analyst ASIT SA ---------------------------------------------------------------- Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777 ---------------------------------------------------------------- HELP!!!! I'm being held prisoner in /usr/games/lib!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:30:10 PDT