*YP/NIS/NIS+/forced-password-change security hole.* Affected Sites: Systems running Passwd+ or NPasswd and possibly other similar programs. These are programs that have been developed to enable system administrators to force users to change their passwords at set intervals and check the passwords to make sure they use alphanumeric sequences as opposed to common dictionary names. Although a step in the right direction, these packages are not as secure as they seem. Problem: The problem lies in the program itself. To really asses blame, one can say it is sloppy programming that causes this problem. It is useful to force a user to change their password every so often. However, the sequence of events that is defaulted to by some incarnations of YP/NIS is really horrendus. Watch: UNIX(r) System V Release 4.0 (good religous site) login: priest Sorry Passwd has expired Change: Instead of having the user enter their OLD password, the YP/NIS program is asking for the user to enter the new password without verifying that it is actually the authorized user that is logging in. There is no other excuse for this except for "pretty dumb". This is not something new-- just a subject that has yet to be explained.