[NTLUG:Discuss] Kerberos and Linux
Chris Cox
cjcox at acm.org
Sun Feb 5 13:51:51 CST 2006
Leroy Tennison wrote:
> Chris Cox wrote:
... NIS info snipped.
>>
> (Finally getting back to this) Thanks for your reply, I'll have to try
> it without the passwords (If I remember correctly I hear that passwords
> in NIS are stored in clear text and transmitted in clear text, I hear
> that NIS+ solves the 'transmitted in clear text' problem but won't be
> available as a server for Linux - what, if any, of this is true?)
>
NIS transmits a DES encrypted passwsord in the clear. DES is
brute force hackable... so you can just gather up all of the
passwords:
ypcat passwd
and then use something like John the Ripper to break them.
Because of the way some things work, you can't just have
NO password... (e.g. ! or x for the DES encrypted password), you'll
have to prepopulate it. Just select something that is
untypable... or choose an arbitrary string (though that
is somewhat risky since it could be possible to brute
force a password that would hash to that DES value).
NIS+ is the wrong answer. Sun knows this and will likely
deprecate NIS+ (only widely used in Sun environments) before they
deprecate NIS (used everywhere).
NIS is good solution for passing data around as long as the
set of information isn't too large. Again, NIS is ok for
the low thousands of users (possibly up to 10,000 depending
on the scenario).
More information about the Discuss
mailing list