[Triumf-linux-managers] FYI - yppasswd deprecated

Konstantin Olchanski olchansk at triumf.ca
Fri Sep 28 22:23:58 PDT 2012 


Without yppasswd, how does one change the password on an NIS cluster?
Does the regular passwd work?
>From any machine or on the NIS master only?
On both SL5 and SL6?
Have you tested any of these before telling us to remove yppasswd?


K.O.


On Fri, Sep 28, 2012 at 06:36:14PM -0700, Andrew Daviel wrote:
> 
> FYI
> 
> >From the yppasswd manpage:
> 
>    "In the old days, the standard passwd(1), chfn(1) and chsh(1) tools
>    could not be used under Linux to change the users NIS password, shell and
>    GECOS information.  For changing the NIS information, they were replaced by
>    their NIS counterparts, yppasswd, ypchfn and ypchsh.
> 
>    Today, this (sic) versions are deprecated and should not be used any
>    longer."
> 
> I noticed that yppasswd was still installed on the compute cluster 
> machines, still worked, but generated DES-encrypted passwords instead of 
> the MD5 or SHA ones generated by "passwd".
> 
> This is a security issue in case a machine is compromised and an attacker 
> is able to obtain the shadow file, since DES is much more easily cracked 
> (well, guessed) since the algorithm is quicker. Also, DES truncates 
> passwords to 8 characters so your supposedly super-strong 
> "goldfinger-aardvaark-dissertation-45" gets silently cut to "goldfing", 
> opening it up to SSH dictionary attacks (which we try to block, but 
> occasionally fail)
> 
> Kel has now removed yppasswd from trcomp* and created an RPM for those 
> who may wish to disable it on SL5 or SL6.
> 
> 
> > This is available to SL5 and SL6 machines that were installed
> > with the TRIUMF kickstart or otherwise use the triumf repo.
> > It can be installed with:
> 
> >    yum install triumf-disable-yppasswd
> 
> > I added the description of this rpm to
> >   http://ccn.triumf.ca/desktop-computing/linux/triumf-rpms
> > This rpm has no dependencies.
> 
> 
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager
> 
> _______________________________________________
> Triumf-linux-managers mailing list
> Triumf-linux-managers at lists.triumf.ca
> http://lists.triumf.ca/mailman/listinfo/triumf-linux-managers

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

More information about the Triumf-linux-managers mailing list