[Linux-disciples] Shadow passwords and NIS
Stephen R Laniel
steve at laniels.org
Tue Jun 8 15:57:51 EDT 2004
Apparently it's a big security hole to use shadow passwords
together with NIS:
http://shorl.com/gasemavygrado
This makes sense, given that when someone logs in to a
client, the handshake would look like this:
1) user types in candidate password
2) NIS client passes password to server in the clear
3) server runs crypt(), say, checks against the shadow file,
and verifies that the password is correct
4) server tells client that password is correct
Hence someone listening in to the handshake could grab the
password off the wire.
So: what do we do instead? Installing a script on each
client that periodically downloads the shadow file from
the server -- or converts the shadow map to a standard
shadow file, then downloads *that* -- seems like an
enormous pain in the ass. There must be a better way.
What's the standard approach?
--
``We need more bunnies listening to The Connection with
Dick Gordon and less wars in Iraq.''
-Fafblog!, http://shorl.com/byhapedegradra
More information about the Linux-disciples
mailing list