Re: overcome NIS
- From: Menno Duursma <menno@xxxxxxxxxxx>
- Date: Sat, 03 Dec 2005 01:47:36 +0100
On Sat, 03 Dec 2005 00:05:10 +0000, John Thompson wrote:
> AFAIK, NIS doesn't transmit passwords over the network,
It does when changeing passwords (although there are workarounds to this,
ofcource.)
> just the hashes
Which i'd still consider rather risky ...
> so each machine can use the hashes to authenticate.
/Only/ to autenticate users against! (Master and slave servers don't
autenticate eachother at all, nor do they clients, or clients them.)
> If someone has the access to sniff these NIS exchanges
Let me guess: they'll race (or MITM) the server's replys and inject
packets to put themselfs into whatever groups they like?
> to pick up the hashes,
They need not even sniff the wire for this (mitigating antisniff here.)
They'd only need administrative access to the host thier connecting to the
subnet with, and know your master and donainname ...
> there's somethimg else seriously wrong with your security that isn't
> directly related to NIS,
How so?
> and that person still needs to crack the hash (no trivial task) to find
> the password.
A matter of time (if there are many accounts, probably not much though.)
--
-Menno.
.
- Follow-Ups:
- Re: overcome NIS
- From: John Thompson
- Re: overcome NIS
- References:
- Re: overcome NIS
- From: matt_left_coast
- Re: overcome NIS
- From: Jan Pompe
- Re: overcome NIS
- From: matt_left_coast
- Re: overcome NIS
- From: Greg Metcalfe
- Re: overcome NIS
- From: John Thompson
- Re: overcome NIS
- Prev by Date: Re: firewall blockage of spam/banner ads?
- Next by Date: Re: overcome NIS
- Previous by thread: Re: overcome NIS
- Next by thread: Re: overcome NIS
- Index(es):
Relevant Pages
|
