Subject: pseudo-shadowing of passwords with ypserv?
To: None <tech-security@netbsd.org, tech-net@netbsd.org>
From: Keith Moore <moore@cs.utk.edu>
List: tech-net
Date: 10/06/1998 14:06:54
this will come as no surprise to anyone who is familiar with yp,
but we're having some trouble with people stealing the password
file, doing dictionary attacks, and publishing the passwords to
the net. we're still using yp because we have a very heterogeneous
environment (sunos, solaris, hpux, irix, linux, digital unix, ultrix,
netbsd, freebsd, aix), and and we're not aware of any better way
of distributing passwords to all of the machines, at least not
without replacing all of the programs that need to read the password
file. if we have to do that, we'll probably go with kerberos.
but we'd like to find a drop-in solution.
so I hacked the netbsd ypserv so that it special-cased the passwd
maps. if you call it from a privileged port, it returns the
vanilla passwd entry. if you call it from a nonprivileged port,
it substitutes an * for the pwd field. this seems to do the
"right thing" from all of the unix clients we've tested so far.
we understand that it's not perfectly secure, but it does seem
to raise the bar a bit. the reason it works is that the rpc libraries
seem to automatically choose a privileged port if the caller is root.
(it might not work for the occasional "screen lock" program that
just wants to verify the password of the user that ran it, but
that doesn't seem like too mich of a price to pay)
I noticed the code that defined separate maps for the master passwd
files, and restrict access to those. The only problem with this is
that it only works with machines that know to look in the master
passwd maps. But the "special case the passwd maps" seems like
such a nice drop-in solution, that I'm surprised that it's not
being used. I'm wondering, has anyone else tried this and found it
to fail, or does anybody know of a reason why it won't work well?
thanks,
Keith