[OpenAFS] Distributing passwd

Nathan Neulinger nneul@umr.edu
Thu, 12 Jun 2003 13:33:03 -0500


> Umm, I think _ALL_ of these have to do with storing the encrypted
> password entry in the NIS database.  As I said, we're using Kerberos
> for authentication so you can leave the password entry as "None"
> (e.g. '*' or 'x') in NIS...  So, iterating over the NIS map doesn't
> help you (no passwords to crack).  You can't compromise a client
> (again, we use Kerberos for authentication, not NIS)...  So you still
> have not provided any reasons not to use NIS for _account_
> information.

Yes, you used krb for auth, but do you prevent regular and passwordless auth from working?

If not, faking the master will get you root on the client.  

I'll freely admit, I use NIS even with these concerns, but they are still
an issue if security is a high priority.
 
-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216