home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.sys.next.misc
- Path: sparky!uunet!caen!uwm.edu!ux1.cso.uiuc.edu!lemson
- From: lemson@ux1.cso.uiuc.edu (David Lemson)
- Subject: Re: Password file
- Message-ID: <BxC1Bz.19v@ux1.cso.uiuc.edu>
- Organization: University of Illinois at Urbana
- References: <83164@ut-emx.uucp> <BxBIwK.97H@news.cso.uiuc.edu>
- Date: Sat, 7 Nov 1992 06:14:08 GMT
- Lines: 32
-
- jeffo@uiuc.edu (J.B. Nicholson-Owens) writes:
-
- >Douglas Floyd writes
- >> Is the NeXT Password file shadowed, or can anybody who logs on/ftps/
- >> telnets onto your system obtain the password file so they can
- >> run crack on it and find more ways to break in?
-
- >The NeXT password file is not shadowed accessible without even having an
- >account on the system. You can do remote nidumps of someone else's password
- >file. Unfortunately making one's password information secure seems to be hard
- >(if not impossible) without changing a MAJOR portion of the operating system
- >(or at least this is what I was told by people on comp.sys.next.* when I asked
- >a similar question).
-
- Not exactly right. If you set the trusted_networks property in your
- root level of netinfo (or whatever level you want to protect), you
- can allow queries to only come from specific subnets. That is
- pretty good security, I think. (at least from outside people)
-
- However, Netinfo does not provide shadowing, and anyone who has a
- user account can get a copy of the password file and running nidump
- or a getpwent() call (if you have disabled nidump!)
-
- >Secure passwords that crack cannot decipher seem to be the best protection
- >against one's net-connected NeXT being broken into.
-
- Always true.
- --
- David Lemson (217) 244-1205
- University of Illinois NeXT Campus Consultant / CCSO NeXT Lab System Admin
- Internet : lemson@uiuc.edu UUCP :...!uiucuxc!uiucux1!lemson
- NeXTMail accepted BITNET : LEMSON@UIUCVMD
-
