COMMAND

    NIS

SYSTEMS AFFECTED

    RedHat 6.1

PROBLEM

    Stefan Laudat found following.  The dish of the day is the  Yellow
    Pages/NIS  (NYS?)  suite  shipped  with  the  pristine RedHat 6.1.
    After a  standard blank  installation the  rpc.yppasswd (when used
    via ypasswd by domain lusers from all over the place)  shamelessly
    uses  the  old  (deprecated?)  8-character-limited  des   password
    encryption, butt-slapping  the idea  of site  security and raising
    from their  graves old  pwcracks and  John the  Rippers that could
    easily bruteforce into your password  files.  Thus your new  shiny
    md5 crypted shadow is gone, and the 8-chars passwords are back.

    However, this is  required to make  it NIS(YP) otherwise  it won't
    be able to interoperate with  other systems running NIS.   The md5
    and  other  alternate  passwords  are  Linux/BSD extensions to the
    password table/map that are not  available in a lot of  other UNIX
    systems.   Handing out  md5 encrypted  passwords means  that is no
    longer NIS(YP) but some Linux  extension - if a commercial  vendor
    did  this  lots  of   people  would  complain  about   proprietary
    incompatible  extensions  to  an  open  protocol.   Secondly   the
    encryption algorithm  used in  traditional UNIX  passwords is  not
    itself limited to 8-chars.   Traditionally passwords in UNIX  were
    limited  to  8-chars  because  login  and friends called getpass()
    which  is  defined  to  return  a  string  of 8-chars + null.  Now
    Solaris,  Linux  and   possibly  others  use   PAM  and  the   PAM
    conversation  functions  tend  to  call  getpassphrase()  or other
    functions (possibly GUIs) that make the new limit 256-chars.

    This was  tested this  only with  RedHat 6.1  but some  of you may
    have the opportunity to test it with other new Linux distributions
    and if it works please announce.

SOLUTION

    Protect your NIS ports as required in the ypserv config files.  It
    would be much better to run NIS+ or LDAP as your naming service if
    you are concerned about people running password crackers over your
    passwd table/map.  NIS+ and LDAP allow you to control which  users
    can actually see  the encrypted password  when a getpw*()  call is
    made.  This  can be done  because they have  the concept of  row &
    column permissions much like a standard UNIX filesystem.

    NIS  has  several  other  fundamental  security short comings that
    have been solved  in NIS+ and  other more modern  naming services.
    If you  are concerned  about security  of your  naming service you
    really shouldn't be using NIS at all.