Re: unified authentication
From: Matthew George (mdg_at_secureworks.net)
Date: Thu, 25 Sep 2003 12:58:25 -0400 (EDT) To: Robert Watson <firstname.lastname@example.org>
On Thu, 25 Sep 2003, Robert Watson wrote:
> Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> access) between a set of trusted hosts, with no modifications to the
> privileged port set, should be fairly safe against unprivileged users
> logged into the machines. The same goes for NFS. If you break any of
> these assumptions, then the security properties go out the window.
It should probably also be noted that when using NIS in a multi-platform
environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
FreeBSD machines only, the passwd maps are generated without password
fields, the master.passwd maps are generated with them, and only requests
from privileged ports (superuser requests) will be given the master.passwd
maps (hence the comment above about modifying the privileged port set).
Other operating systems' NIS implementations require the password fields
to be in the passwd maps, which are available to unprivileged users.
-- Matthew George SecureWorks Technical Operations _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"