[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] password change on NIS as root?



Dear Bjorn,

Thanks for the hint about rpasswd. It is well described in
http://howto.zgp.org/NIS-HOWTO/rpasswdd.html, and provides a way for users
as well as administrators to change passwords.

But I was very surprised that rpasswdd works without you needing to create
an entry in /etc/hosts.allow. So although rpasswd fixes one security hole
by preventing plaintext passwords going across the network it potentially
opens up another. With our old setup even if someone managed to discover
the root password it was useless to them unless they also knew an
administrator's regular password because neither ssh nor su let them gain
root privilege except from a very small number of accounts.  But now they
can run rpasswd from any machine on the campus and rpasswdd will
happily let them change any user's password.

Does anyone have any comments on this? Am I missing something?

Bob
==============================================================
Bob Vickers                     R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW:    http://www.cs.rhul.ac.uk/home/bobv
Phone:  +44 1784 443691

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here