Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Sep 2000 08:52:22 -0500
From:      "Peter Avalos" <pavalos@theshell.com>
To:        <freebsd-questions@freebsd.org>, "Bill Paul" <wpaul@ctr.columbia.edu>
Cc:        "Barrett Gibson Lyon" <blyon@theshell.com>
Subject:   ypserv giving out encrypted passwords
Message-ID:  <AAEMIFFLKPKLAOJHJANHCEIICEAA.pavalos@theshell.com>
next in thread | raw e-mail | index | archive | help 
I'm running ypserv as a slave and ypbind on a 4.1-S machine.

Snip from ypserv(8) manpage:

     To make up for this, the FreeBSD version of ypserv handles the
     master.passwd.byname and master.passwd.byuid maps in a special way.
When
     the server receives a request to access either of these two maps, it
will
     check the TCP port from which the request originated and return an
error
     if the port number is greater than 1023.  Since only the superuser is
al-
     lowed to bind to TCP ports with values less than 1024, the server can
use
     this test to determine whether or not the access request came from a
     privileged user.  Any requests made by non-privileged users are
therefore
     rejected.

This sounds like a wonderful thing, but why only tcp? I don't want people to
ypcat master.passwd and get all the encrypted passwords on my system. I
verified that a ypmatch uses udp on a port >1023 witch tcpdump:

ypmatch pavalos master.passwd
pavalos:*SNIPPED*:501:1000::0:0:pavalos:/usr/home/prm/pavalos:/bin/bash
06:35:27.149969 lithium.theshell.com.stun-port > lithium.theshell.com.778:
udp 88
06:35:27.150136 lithium.theshell.com.778 > lithium.theshell.com.stun-port:
udp 108

stun-port       1994/udp   #cisco serial tunnel port

So my question is: Is this a configuration error, or a 'feature' (bug)?


Thanks,

Peter Avalos
TheShell.com

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/ED/B d-(+) s:+> a-- C++$ UBLO++++$ P+ L++++ E- W+ N+ o? K? w(++) !O M-
V- PS+ PE++ Y+ PGP++ t+@ 5 X- R- tv+ b++ DI- D-- G e>+++ h-- r++ y++
------END GEEK CODE BLOCK------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AAEMIFFLKPKLAOJHJANHCEIICEAA.pavalos>