From owner-freebsd-questions Tue Aug 7 6:51:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ripley.nandomedia.com (nandopix1.nandomedia.com [152.52.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 24F0137B411 for ; Tue, 7 Aug 2001 06:51:37 -0700 (PDT) (envelope-from rsavage@nandomedia.com) Received: from ripley (ripley [192.168.1.239]) by ripley.nandomedia.com (SendmailServer-1.0.1/8.11.1) with ESMTP id f77DpWS23141; Tue, 7 Aug 2001 09:51:32 -0400 Date: Tue, 7 Aug 2001 09:51:32 -0400 (EDT) From: To: dannyman Cc: Subject: Re: NIS in FreeBSD In-Reply-To: <20010807014312.A14813@toldme.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I beg to differ! I just setup and tested two FreeBSD 4.3 machines. One as a master NIS server, and the other as a NIS client. When I changed my user's password on the client, I saw the "clear-text" password while I was sniffing the box. Did I do something diffrently? Or not complete? -R On Tue, 7 Aug 2001, dannyman wrote: > On Mon, Aug 06, 2001 at 12:05:36PM -0400, rsavage@nandomedia.com wrote: > > I don't know who is the proper person to ask this question, so I will > > simply ask you. Do you know is the NIS provided with FreeBSD sends > > "clear-text" passwords over the network at any given time? Thanks. > > FreeBSD-questions is a mailing list that any number of people might > read. One of us might answer your question. > > In your case, NIS does not send clear-text passwords over the network. > NIS sends out passwords translated in to an encrypted string via a > one-way algorithm. The NIS client encrypts the password that the user > supplies, and if it is the same as the encrypted string on the NIS > master, then the NIS client knows that password is correct. > > The weakness is that as cryptographic theory and CPU power advance, it > becomes easier to set computers up to run through likely passwords, > encrypting them in to the encrypted password string sent in your NIS. > For this reason, most modern Unix systems treat the encrypted passwords > as trusted local information. NIS requires this information to go over > the network. > > If you are concerned about security, and you use NIS, you should have a > password policy that says users should change their passwords every so > often, and that they need to be more difficult to guess than simple > dictionary words, and the like. You may also want to test more secure > password hash algorithms. For example, NIS implementations have > historically used DES encryption to share passwords. The MD5 encryption > scheme that FreeBSD uses, by default, is harder to run through, in this > manner. > > If your NIS system consists of only FreeBSD hosts, you can make it so > that encrypted passwords don't go over the network either. I'm not > sure how this works, so you should RTFM if you are interested in this. > In a heterogeneous environment, you might consider alternatives like > LDAP over SSL, or Kerberos. There is also NIS+, but anyone I've ever > asked has told me that it is too silly to consider. > > -danny > > -- Rory Savage, Senior Systems Administrator Nando Media: www.nandomedia.com email: rsavage@nandomedia.com 919-836-5987 (Office) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message