We have an old NIS setup which, at geological speed, is being replaced by a Kerberos one. In the meantime, all the (non-root) users can simply type ypcat passwd and get the hashes of all the users' passwords. Is there an interim hack one can do to mitigate this so that it is at least not trivial to get the password hashes?
Asked
Active
Viewed 388 times
2
graffe
- 587
- 1
- 4
- 8
1 Answers
2
You can upgrade to NIS+, but that's sort of an epic definition of "interim hack."
No, plain old NIS does not support any protection for the password hashes it distributes.
(and before someone suggests removing or chmod'ing ypcat, you'd have to disable every programming language on the system as well. Writing a ypcat clone is trivial, see Python for example.)
gowenfawr
- 71,975
- 17
- 161
- 198