[Linux-disciples] Shadow passwords and NIS
Dylan Thurston
dpt at exoskeleton.math.harvard.edu
Tue Jun 8 19:35:56 EDT 2004
On Tue, Jun 08, 2004 at 03:57:51PM -0400, Stephen R Laniel wrote:
> Apparently it's a big security hole to use shadow passwords
> together with NIS:
> http://shorl.com/gasemavygrado
>
> This makes sense, given that when someone logs in to a
> client, the handshake would look like this:
>
> 1) user types in candidate password
> 2) NIS client passes password to server in the clear
> 3) server runs crypt(), say, checks against the shadow file,
> and verifies that the password is correct
> 4) server tells client that password is correct
>
> Hence someone listening in to the handshake could grab the
> password off the wire.
>
> So: what do we do instead? Installing a script on each
> client that periodically downloads the shadow file from
> the server -- or converts the shadow map to a standard
> shadow file, then downloads *that* -- seems like an
> enormous pain in the ass. There must be a better way.
>
> What's the standard approach?
Why use shadow passwords at all? If you use md5 passwords and everyone
uses secure passwords (as they should anyway), it's still secure.
Peace,
Dylan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20040608/6855415d/attachment.pgp
More information about the Linux-disciples
mailing list