Re: Sparc Solaris NIS client Linux NIS server

On Sat, 10 Dec 2005 22:21:39 +0000, dogdo wrote:

> On Sat, 10 Dec 2005 17:49:28 +0000, Chris Cox wrote:
>
>> dogdog@xxxxxxxxxxx wrote:
>>> I'm cross posting this from comp.unix.solaris in hopes
>>> that the linux admins can help or have had similiar
>>> experience.
>>>
>>> Sunfire V240 Solaris 8 02/04. I've configured it as a
>>> nis client. I logon as root (local account). Verify that it sees
>>> the nis master (ypwhich), verified that it can cat the hosts file
>>> (ypcat hosts), verified that it can see the passwd file (ypcat
>>> passwd). These all work. I have also the ability to (when logged
>>> in as root) su - <username> and become a user (whereas the user
>>> is a NIS user with account information and home directory on the
>>> Linux NIS server). What I cant do is logon via the CDE logon
>>> screen. I get the "incorrect logon" error.
>>>
>>> I've ran ethereal to check the connection and the closest anomaly
>>> I found was that when logging on the Solaris box via CDE it is not sending
>>> the logon credentials to the Linux NIS server, therefore not getting a response
>>> back that its a valid logon. Now, this isnt the end. I also ran
>>> ethereal against a telnet session to the solaris box, and I did see
>>> it send the username over the wire to the NIS server, but again
>>> got an incorrect logon error.
>>>
>>> Has anyone seen this?? I'm thinking a patch or something since the
>>> sparc is freshly built with no patches.
>>
>> NIS doesn't "send the username/password" over the wire, ... well
>> not the way you make it sound. It merely looks them up out of
>> the NIS tables available to the client (which do go across the
>> wire or out of cache... which I don't recommend).
>>
>> We replaced our Solaris NIS server with a Linux one years ago.
>> Everything works fine. Including logging on using CDE on those
>> clients.
>>
>> Check your nsswitch.conf on your Solaris client.
>
> I'll check over the nsswitch.conf and verify that its right. But
> I'd differ on the not sending the information over the wire.
> From what I've seen on an ethereal dump its certainly sending
> the username over and requesting verification, if this is a lookup
> or not is basically unimportant since the information is on the
> wire and is trying to verify
> based on a NIS map and it is responding
> back, I can verify if its the shadowed passwd or not but I believe
> it may be. Its always been my understanding, other than the ability
> to just simply ypcat passwd, that this is one of the inherent
> insecurities with NIS. I can say that I did see the username
> going in the clear.
> Thanks for your input.

I did verify this and it certainly does push the information
available in the map across the wire. I was able to not only
watch the logon credentials but also see the password go back.
I verified the information and it was the md5 hash as placed
in the shadow. Therefore I'd say that the NIS as a whole does
allow for a user on the network, at least in this configuration,
to watch the wire and obtain logon information and the hashed
password. Then again
the user could alway just ypcat the passwd and see that information
also. As for cracking a hashed/encrypted password that can be
anywhere from trivial to quite time consuming. I'm always under
the idea that if it can be encrytped it certainly can be decrypted.
Theres nothing inpenetrable.

.

Relevant Pages