[Triumf-linux-managers] FYI - yppasswd deprecated
Andrew Daviel
advax at triumf.ca
Fri Sep 28 18:36:14 PDT 2012
FYI
>From the yppasswd manpage:
"In the old days, the standard passwd(1), chfn(1) and chsh(1) tools
could not be used under Linux to change the users NIS password, shell and
GECOS information. For changing the NIS information, they were replaced by
their NIS counterparts, yppasswd, ypchfn and ypchsh.
Today, this (sic) versions are deprecated and should not be used any
longer."
I noticed that yppasswd was still installed on the compute cluster
machines, still worked, but generated DES-encrypted passwords instead of
the MD5 or SHA ones generated by "passwd".
This is a security issue in case a machine is compromised and an attacker
is able to obtain the shadow file, since DES is much more easily cracked
(well, guessed) since the algorithm is quicker. Also, DES truncates
passwords to 8 characters so your supposedly super-strong
"goldfinger-aardvaark-dissertation-45" gets silently cut to "goldfing",
opening it up to SSH dictionary attacks (which we try to block, but
occasionally fail)
Kel has now removed yppasswd from trcomp* and created an RPM for those
who may wish to disable it on SL5 or SL6.
> This is available to SL5 and SL6 machines that were installed
> with the TRIUMF kickstart or otherwise use the triumf repo.
> It can be installed with:
> yum install triumf-disable-yppasswd
> I added the description of this rpm to
> http://ccn.triumf.ca/desktop-computing/linux/triumf-rpms
> This rpm has no dependencies.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-managers
mailing list