[tech-net removed; crossposting is evil and tech-security is more
appropriate]

> this will come as no surprise to anyone who is familiar with yp,
> but we're having some trouble with people stealing the password
> file, doing dictionary attacks, and publishing the passwords to
> the net.  we're still using yp because we have a very heterogeneous
> environment (sunos, solaris, hpux, irix, linux, digital unix, ultrix,
> netbsd, freebsd, aix), and and we're not aware of any better way 
> of distributing passwords to all of the machines, at least not
> without replacing all of the programs that need to read the password 
> file.  if we have to do that, we'll probably go with kerberos.
> but we'd like to find a drop-in solution.
> 
> so I hacked the netbsd ypserv so that it special-cased the passwd
> maps.  if you call it from a privileged port, it returns the 
> vanilla passwd entry.  if you call it from a nonprivileged port,
> it substitutes an * for the pwd field.  this seems to do the
> "right thing" from all of the unix clients we've tested so far.
> we understand that it's not perfectly secure, but it does seem
> to raise the bar a bit.  the reason it works is that the rpc libraries
> seem to automatically choose a privileged port if the caller is root.
> (it might not work for the occasional "screen lock" program that
> just wants to verify the password of the user that ran it, but 
> that doesn't seem like too mich of a price to pay)
> 
> I noticed the code that defined separate maps for the master passwd 
> files, and restrict access to those.  The only problem with this is
> that it only works with machines that know to look in the master
> passwd maps.  But the "special case the passwd maps" seems like
> such a nice drop-in solution, that I'm surprised that it's not 
> being used.  I'm wondering, has anyone else tried this and found it
> to fail, or does anybody know of a reason why it won't work well?

if you're running all *bsd clients then master.passwd should work
as expected (although I can't recall if I finished modifying the yp
getpwent routines in libc to use it).

the problem i see with your suggestion is that can you guarantee that
non *bsd clients will work; i.e, do all their clients bind to <1024
if euid==0? i believe that netbsd does it because it was modified
so that if euid==0 it binds a reserved port otherwise it binds
a non reserved port.

it's been a while since i looked at the relevant code; i'll do that
RSN to come up with a definitive answer ;-)