Re: unified authentication

From: Matthew George (mdg_at_secureworks.net)
Date: 09/25/03

  • Next message: V. Jones: "FreeBSD Patch question"
    Date: Thu, 25 Sep 2003 12:58:25 -0400 (EDT)
    To: Robert Watson <rwatson@freebsd.org>
    
    

    On Thu, 25 Sep 2003, Robert Watson wrote:

    > Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
    > access) between a set of trusted hosts, with no modifications to the
    > privileged port set, should be fairly safe against unprivileged users
    > logged into the machines. The same goes for NFS. If you break any of
    > these assumptions, then the security properties go out the window.

    It should probably also be noted that when using NIS in a multi-platform
    environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
    FreeBSD machines only, the passwd maps are generated without password
    fields, the master.passwd maps are generated with them, and only requests
    from privileged ports (superuser requests) will be given the master.passwd
    maps (hence the comment above about modifying the privileged port set).
    Other operating systems' NIS implementations require the password fields
    to be in the passwd maps, which are available to unprivileged users.

    -- 
    Matthew George
    SecureWorks Technical Operations
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: V. Jones: "FreeBSD Patch question"