Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Re: NIS security advisory : password method d

Re: NIS security advisory : password method downgrade

Subject: Re: NIS security advisory : password method downgrade
From: Thorsten Kukuk (kukukSUSE.DE)
Date: Mon Jan 24 2000 - 00:58:58 CST

Next message: harikiri: "VMware 1.1.2 Symlink Vulnerability"
Previous message: Darren Moffat - Solaris Sustaining Engineering: "Re: NIS security advisory : password method downgrade"
In reply to: Stefan Laudat: "NIS security advisory : password method downgrade"
Reply: Thorsten Kukuk: "Re: NIS security advisory : password method downgrade"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Sat, Jan 22, Stefan Laudat wrote:

>
> Hello all,
>
> I've seen that some of you noticed a lot of features about
> programs that downgrade the encryption method of the passwords from
> MD5 to DES and that should be a shame to distribution packagers.
> The dish of the day is the Yellow Pages/NIS (NYS?) suite
> shipped with the pristine RedHat 6.1. After a standard blank installation
> the rpc.yppasswd (when used via ypasswd by domain lusers from all over the
> place) shamelessly uses the old (deprecated?) 8-character-limited des
> password encryption, butt-slapping the idea of site security and
> raising from their graves old pwcracks and John the Rippers that
> could easily bruteforce into your password files. Thus your new shiny md5
> crypted shadow is gone, and the 8-chars passwords are back.

This is wrong. rpc.yppasswdd doesn't encrypt any passwords, it only
saves the encrypted, new password which it gets from the client.
It works perfect, since you can send rpc.yppasswdd md5 hashes as
password and it will not change this back to DES encryption.

> I've tested this only with RedHat 6.1 but some of you may have
> the opportunity to test it with other new Linux distributions and
> if it works please announce.

Then the yppasswd client is not able to handle md5 hashes. My pam_unix
Module for the next SuSE Linux release can handle this if you don't
use yppasswd, but /bin/passwd.

> To Aleph1: do not ask for a patch as in previous bounced messages,
> i do not intend to take part or envolve in the YP developement team as
> neither in the ssh team. As a full end-user I do not care about them.
> To everyone: protect your NIS ports as required in the
> ypserv config files.
> To NYS team: please provide patches for this, I love NIS, and
> do not make SuSE a RedHat clone (as it is), they both suck.

Sorry, but SuSE Linux is NO RedHat clone and there already exist PAM Modules
which can handle this. And the NIS developing is done by SuSE.

Thorsten

--
Thorsten Kukuk       http://www.suse.de/~kukuk/       kukuksuse.de
SuSE GmbH            Schanzaeckerstr. 10            90443 Nuernberg
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.

Next message: harikiri: "VMware 1.1.2 Symlink Vulnerability"
Previous message: Darren Moffat - Solaris Sustaining Engineering: "Re: NIS security advisory : password method downgrade"
In reply to: Stefan Laudat: "NIS security advisory : password method downgrade"
Reply: Thorsten Kukuk: "Re: NIS security advisory : password method downgrade"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 22:15:43 CST