Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Keith Moore <moore@cs.utk.edu>
From: Ignatios Souvatzis <is@jocelyn.rhein.de>
List: tech-net
Date: 10/06/1998 21:29:57
On Tue, Oct 06, 1998 at 02:06:54PM -0400, Keith Moore wrote:

...

> so I hacked the netbsd ypserv so that it special-cased the passwd
> maps.  if you call it from a privileged port, it returns the 
> vanilla passwd entry.  if you call it from a nonprivileged port,
> it substitutes an * for the pwd field.  this seems to do the
> "right thing" from all of the unix clients we've tested so far.
> we understand that it's not perfectly secure, but it does seem
> to raise the bar a bit.  the reason it works is that the rpc libraries
> seem to automatically choose a privileged port if the caller is root.
> (it might not work for the occasional "screen lock" program that
> just wants to verify the password of the user that ran it, but 
> that doesn't seem like too mich of a price to pay)

Let me (at least partially) object: making the occasional screen
lock program fail, is a security problem, too. What do xlock{,more} do? lock?
(That are the in-tree programs that come into my mind). They, at least, 
should be able to deal with this.

Regards,
	-is