> The dish of the day is the Yellow Pages/NIS (NYS?) suite >shipped with the pristine RedHat 6.1. After a standard blank installation >the rpc.yppasswd (when used via ypasswd by domain lusers from all over the >place) shamelessly uses the old (deprecated?) 8-character-limited des This is required to make it NIS(YP) otherwise it won't be able to interoperate with other systems running NIS. The md5 and other alternate passwords are Linux/BSD extensions to the password table/map that are not available in a lot of other UNIX systems. Handing out md5 encrypted passwords means that is no longer NIS(YP) but some Linux extension - if a commercial vendor did this lots of people would complain about proprietary incompatible extensions to an open protocol. It would be much better to run NIS+ or LDAP as your naming service if you are concerned about people running password crackers over your passwd table/map. NIS+ and LDAP allow you to control which users can actually see the encrypted password when a getpw*() call is made. This can be done because they have the concept of row & column permissions much like a standard UNIX filesystem. NIS has several other fundamental security short comings that have been solved in NIS+ and other more modern naming services. If you are concerned about security of your naming service you really shouldn't be using NIS at all. >place) shamelessly uses the old (deprecated?) 8-character-limited des >password encryption, butt-slapping the idea of site security and >raising from their graves old pwcracks and John the Rippers that >could easily bruteforce into your password files. Thus your new shiny md5 >crypted shadow is gone, and the 8-chars passwords are back. Secondly the encryption algorithm used in traditional UNIX passwords is not itself limited to 8-chars. Traditionally passwords in UNIX were limited to 8-chars because login and friends called getpass() which is defined to return a string of 8-chars + null. Now Solaris, Linux and possibly others use PAM and the PAM conversation functions tend to call getpassphrase() or other functions (possibly GUIs) that make the new limit 256-chars. In summary I suggest that the Linux ypserv/rpc.yppasswd is not changed to do this by default and it if it changed then it is made clear to the admin when it is setup that enabling such a feature means they are nolonger running traditional NIS(YP) and interoperability with other systems will probably be broken and this is because they have enabled this non standard extension. -- Darren J Moffat
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:10 PDT