unified authentication
Matthew George
mdg at secureworks.net
Thu Sep 25 09:58:51 PDT 2003
On Thu, 25 Sep 2003, Robert Watson wrote:
> Running NIS on a trusted IP network (i.e., no spoofing, no direct wire
> access) between a set of trusted hosts, with no modifications to the
> privileged port set, should be fairly safe against unprivileged users
> logged into the machines. The same goes for NFS. If you break any of
> these assumptions, then the security properties go out the window.
It should probably also be noted that when using NIS in a multi-platform
environment, UNSECURE="True" must be set in /var/yp/Makefile. When using
FreeBSD machines only, the passwd maps are generated without password
fields, the master.passwd maps are generated with them, and only requests
from privileged ports (superuser requests) will be given the master.passwd
maps (hence the comment above about modifying the privileged port set).
Other operating systems' NIS implementations require the password fields
to be in the passwd maps, which are available to unprivileged users.
--
Matthew George
SecureWorks Technical Operations
More information about the freebsd-security
mailing list