From owner-freebsd-questions Tue Aug 7 1:41:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dell.dannyland.org (dell.dannyland.org [64.81.36.13]) by hub.freebsd.org (Postfix) with ESMTP id 71DD937B403 for ; Tue, 7 Aug 2001 01:41:16 -0700 (PDT) (envelope-from dannyman@toldme.com) Received: by dell.dannyland.org (Postfix, from userid 1001) id 49BF25C70; Tue, 7 Aug 2001 01:43:12 -0700 (PDT) Date: Tue, 7 Aug 2001 01:43:12 -0700 From: dannyman To: rsavage@nandomedia.com Cc: questions@FreeBSD.org Subject: Re: NIS in FreeBSD Message-ID: <20010807014312.A14813@toldme.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsavage@nandomedia.com on Mon, Aug 06, 2001 at 12:05:36PM -0400 X-Loop: djhoward@uiuc.edu Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 06, 2001 at 12:05:36PM -0400, rsavage@nandomedia.com wrote: > I don't know who is the proper person to ask this question, so I will > simply ask you. Do you know is the NIS provided with FreeBSD sends > "clear-text" passwords over the network at any given time? Thanks. FreeBSD-questions is a mailing list that any number of people might read. One of us might answer your question. In your case, NIS does not send clear-text passwords over the network. NIS sends out passwords translated in to an encrypted string via a one-way algorithm. The NIS client encrypts the password that the user supplies, and if it is the same as the encrypted string on the NIS master, then the NIS client knows that password is correct. The weakness is that as cryptographic theory and CPU power advance, it becomes easier to set computers up to run through likely passwords, encrypting them in to the encrypted password string sent in your NIS. For this reason, most modern Unix systems treat the encrypted passwords as trusted local information. NIS requires this information to go over the network. If you are concerned about security, and you use NIS, you should have a password policy that says users should change their passwords every so often, and that they need to be more difficult to guess than simple dictionary words, and the like. You may also want to test more secure password hash algorithms. For example, NIS implementations have historically used DES encryption to share passwords. The MD5 encryption scheme that FreeBSD uses, by default, is harder to run through, in this manner. If your NIS system consists of only FreeBSD hosts, you can make it so that encrypted passwords don't go over the network either. I'm not sure how this works, so you should RTFM if you are interested in this. In a heterogeneous environment, you might consider alternatives like LDAP over SSL, or Kerberos. There is also NIS+, but anyone I've ever asked has told me that it is too silly to consider. -danny -- http://dannyman.toldme.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message