[OpenAFS] Distributing passwd

Nathan Neulinger nneul@umr.edu
Fri, 13 Jun 2003 08:25:18 -0500


> Ok, this certainly can be an issue, but only in the sense of gaining
> inappropriate local access.  In a Kerberos/AFS environment the only
> thing you need to check for is UID=0 (as empty password doesn't
> matter).  Does it really matter if a user logs in as UID=1023 or
> UID=14273?

Actually I believe it's pretty well accepted that getting sys, bin, or any
of the system uids can relatively easily lead to getting root.

> > Disabling passwordless login can hinder #3, but the attacker can just
> > substitute the hash of a known password there.  #2 isn't worth worrying
> > about.  #1 can be solved using ipchains, ipf, or whatever to block access
> > from subnets that shouldn't have access.
> 
> Actually, nope, #3 isn't an issue in a Kerberos environment as I've
> mentioned, because the password field in NIS is empty/ignored.

And the suggestion of overriding with "*" or "kerberos" - at the client, when
it references the netgroup or user in the pw file, as opposed to just on the
server also can help here...
 
> > So, this is getting a bit off-topic.
> 
> Agreed...  but my point is that in a combined NIS/Kerberos environment
> most of the security flaws of NIS don't exist anymore.

Agreed. There's always room for minor improvement though.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216