4719654 2000-01-24 04:38 /52 rader/ Postmaster
Mottagare: Bugtraq (import) <9459>
Ärende: NIS security advisory : password method downgrade
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Operating-System: Linux ns 2.2.13
Message-ID: <20000122011507.A30744@asit.ro>
Date: Sat, 22 Jan 2000 01:15:07 +0200
Reply-To: Stefan Laudat <stefan@ASIT.RO>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Stefan Laudat <stefan@ASIT.RO>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello all,
I've seen that some of you noticed a lot of features about
programs that downgrade the encryption method of the passwords from
MD5 to DES and that should be a shame to distribution packagers.
The dish of the day is the Yellow Pages/NIS (NYS?) suite
shipped with the pristine RedHat 6.1. After a standard blank
installation the rpc.yppasswd (when used via ypasswd by domain
lusers from all over the place) shamelessly uses the old
(deprecated?) 8-character-limited des password encryption,
butt-slapping the idea of site security and raising from their graves
old pwcracks and John the Rippers that could easily bruteforce into
your password files. Thus your new shiny md5 crypted shadow is gone,
and the 8-chars passwords are back.
I've tested this only with RedHat 6.1 but some of you may have
the opportunity to test it with other new Linux distributions and
if it works please announce.
To Aleph1: do not ask for a patch as in previous bounced messages,
i do not intend to take part or envolve in the YP developement team as
neither in the ssh team. As a full end-user I do not care about them.
To everyone: protect your NIS ports as required in the
ypserv config files.
To NYS team: please provide patches for this, I love NIS, and
do not make SuSE a RedHat clone (as it is), they both suck.
To kiddies: just press delete and move along next post, you are
too dumb to run a password cracker.
still unemployed,
--
Stefan Laudat
Data Networks Analyst
ASIT SA
----------------------------------------------------------------
Skills page http://www.tekmetrics.com/transcript.shtml?pid=30777
----------------------------------------------------------------
HELP!!!! I'm being held prisoner in /usr/games/lib!
(4719654) ------------------------------------------(Ombruten)
4724084 2000-01-25 03:47 /66 rader/ Postmaster
Mottagare: Bugtraq (import) <9485>
Ärende: Re: NIS security advisory : password method downgrade
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000124075858.A11549@Wotan.suse.de>
Date: Mon, 24 Jan 2000 07:58:58 +0100
Reply-To: Thorsten Kukuk <kukuk@SUSE.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Thorsten Kukuk <kukuk@SUSE.DE>
X-To: Stefan Laudat <stefan@ASIT.RO>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000122011507.A30744@asit.ro>; from Stefan Laudat on Sat
Jan 22, 2000 at 01:15:07AM +0200
Hi,
On Sat, Jan 22, Stefan Laudat wrote:
>
> Hello all,
>
> I've seen that some of you noticed a lot of features about
> programs that downgrade the encryption method of the passwords from
> MD5 to DES and that should be a shame to distribution packagers.
> The dish of the day is the Yellow Pages/NIS (NYS?) suite
> shipped with the pristine RedHat 6.1. After a standard blank installation
> the rpc.yppasswd (when used via ypasswd by domain lusers from all over the
> place) shamelessly uses the old (deprecated?) 8-character-limited des
> password encryption, butt-slapping the idea of site security and
> raising from their graves old pwcracks and John the Rippers that
> could easily bruteforce into your password files. Thus your new shiny md5
> crypted shadow is gone, and the 8-chars passwords are back.
This is wrong. rpc.yppasswdd doesn't encrypt any passwords, it only
saves the encrypted, new password which it gets from the client.
It works perfect, since you can send rpc.yppasswdd md5 hashes as
password and it will not change this back to DES encryption.
> I've tested this only with RedHat 6.1 but some of you may have
> the opportunity to test it with other new Linux distributions and
> if it works please announce.
Then the yppasswd client is not able to handle md5 hashes. My pam_unix
Module for the next SuSE Linux release can handle this if you don't
use yppasswd, but /bin/passwd.
> To Aleph1: do not ask for a patch as in previous bounced messages,
> i do not intend to take part or envolve in the YP developement team as
> neither in the ssh team. As a full end-user I do not care about them.
> To everyone: protect your NIS ports as required in the
> ypserv config files.
> To NYS team: please provide patches for this, I love NIS, and
> do not make SuSE a RedHat clone (as it is), they both suck.
Sorry, but SuSE Linux is NO RedHat clone and there already exist PAM
Modules which can handle this. And the NIS developing is done by SuSE.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de
SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg
Linux is like a Vorlon. It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.
(4724084) ------------------------------------------(Ombruten)
4724098 2000-01-25 04:42 /64 rader/ Postmaster
Mottagare: Bugtraq (import) <9488>
Ärende: Re: NIS security advisory : password method downgrade
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: mYFZTHAs54HdHi0jX4uyiQ==
Message-ID: <200001241140.LAA05334@otis.UK.Sun.COM>
Date: Mon, 24 Jan 2000 11:40:03 +0000
Reply-To: Darren Moffat - Solaris Sustaining Engineering <darren.moffat@sunuk.UK.Sun.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Darren Moffat - Solaris Sustaining Engineering <darren.moffat@sunuk.UK.Sun.COM>
X-To: stefan@ASIT.RO
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> The dish of the day is the Yellow Pages/NIS (NYS?) suite
>shipped with the pristine RedHat 6.1. After a standard blank installation
>the rpc.yppasswd (when used via ypasswd by domain lusers from all over the
>place) shamelessly uses the old (deprecated?) 8-character-limited des
This is required to make it NIS(YP) otherwise it won't be able to
interoperate with other systems running NIS. The md5 and other
alternate passwords are Linux/BSD extensions to the password
table/map that are not available in a lot of other UNIX systems.
Handing out md5 encrypted passwords means that is no longer NIS(YP)
but some Linux extension - if a commercial vendor did this lots of
people would complain about proprietary incompatible extensions to an
open protocol.
It would be much better to run NIS+ or LDAP as your naming service if
you are concerned about people running password crackers over your
passwd table/map. NIS+ and LDAP allow you to control which users can
actually see the encrypted password when a getpw*() call is made.
This can be done because they have the concept of row & column
permissions much like a standard UNIX filesystem.
NIS has several other fundamental security short comings that have
been solved in NIS+ and other more modern naming services. If you
are concerned about security of your naming service you really
shouldn't be using NIS at all.
>place) shamelessly uses the old (deprecated?) 8-character-limited des
>password encryption, butt-slapping the idea of site security and
>raising from their graves old pwcracks and John the Rippers that
>could easily bruteforce into your password files. Thus your new shiny
md5 >crypted shadow is gone, and the 8-chars passwords are back.
Secondly the encryption algorithm used in traditional UNIX passwords
is not itself limited to 8-chars. Traditionally passwords in UNIX
were limited to 8-chars because login and friends called getpass()
which is defined to return a string of 8-chars + null. Now Solaris,
Linux and possibly others use PAM and the PAM conversation functions
tend to call getpassphrase() or other functions (possibly GUIs) that
make the new limit 256-chars.
In summary I suggest that the Linux ypserv/rpc.yppasswd is not changed
to do this by default and it if it changed then it is made clear to
the admin when it is setup that enabling such a feature means they are
nolonger running traditional NIS(YP) and interoperability with other
systems will probably be broken and this is because they have enabled
this non standard extension.
--
Darren J Moffat
(4724098) ------------------------------------------(Ombruten)