On Sat, Dec 13, 2014 at 09:03:33AM -0500, Jon Daley wrote: > You've made a couple references to using shadow and nis being unusual. Do > people usually turn off shadow passwords when using other systems? And you
Well, it's more that they don't usually deploy NIS on systems that default to shadow passwords. > also implied that NIS's lack of security makes shadow passwords irrelevant. > When I first installed NIS, I thought it might be exposing the password file > somehow, but I couldn't make it do that, and I get permission denied errors > when I try to see the actual password hashes from a client. Can you give me > a command that does? Run with root - the default thing is to look for a source port below 1024. The problem is that on most networks physical access is trivially obtainable or there's other vectors like non-Unix devices that don't care about port 1024, things can be locked down to prevent that but the people doing so tend to also want to avoid sending the data unencrypted in the first place. There is some security but it's not hard to get around. > The patch probably was done manually or at least, not intended to be > automatically merged, but since it is all of 15 characters, it doesn't seem > like that should be a reason to dismiss it. After this conversation, I've Like I say I'm pretty sure I didn't even see it - I don't recall seeing one on the original e-mail and it does look like it's got problems (I'd tend to reply to anything with a patch). As you'll see from the bug log I've applied the patch already so it'll get uploaded when it's had a bit of testing. > In any case, I don't think an argument can be made that my patch breaks > anything for anyone, and it makes the package usable for some, so it seems > like we've been taking a lot of effort talking about it, rather than just > fixing it. But, I have a /usr/local/bin/yppasswd, so it doesn't really > matter to me. The problem is that we're in a release freeze which means that getting standard run of the mill bug fixes integrated is difficult, hence the importance of this being a regression from the previous release.
signature.asc
Description: Digital signature
