Alternatives for Yellow Pages?

Win Treese treese at athena.mit.edu
Sun Jan 15 17:37:39 AEST 1989


In article <747 at genie.UUCP> scooter at genie.UUCP (Scooter Morris) writes:
(in answer to a question about replacing YP)
>
>	[...]
>
>	So, we modified /bin/passwd so that insted of updating the
>	password database directly, it sends a packet to a password
>	daemon.  The password daemon (passwordd) updates the local
>	database, and queues up the change to any other machines which
>	are sharing the same uid scheme.  The changes are then sent
>	over TCP to the password daemon on each of the other machines
>	which, in turn, update their local databases....

How do you guarantee that the request to change a password is legitimate?
That is, can I spoof the password daemon as another user or from another
machine on the network that I control?

It seems that this system is vulnerable to a number of attacks, including
some that YP is also vulnerable to.

The design of a good network authentication system isn't entirely obvious,
but it's fairly well understood now.  A good start in the literature is
Needham & Schroeder's 1978 CACM paper on the subject (the system described
there is the basis of MIT Project Athena's Kerberos authentication system).

Win Treese					Cambridge Research Lab
treese at crl.dec.com				Digital Equipment Corporation



More information about the Comp.unix.wizards mailing list