Re: Linux nis and shadow passwords, non Linux clients

To: debian-user@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: Linux nis and shadow passwords, non Linux clients
From: miquels@cistron.nl (Miquel van Smoorenburg)
Date: 22 Apr 1999 17:24:08 +0200
Message-id: <[🔎] 7fneuo$rsb$1@Q.cistron.nl>
In-reply-to: <[🔎] 371F39E1.266748DC@bdsinc.com>

In article <cistron.371F39E1.266748DC@bdsinc.com>,
Jens B. Jorgensen <jjorgens@bdsinc.com> wrote:
>Hmmm, perhaps you'll have to generate your own intermediate passwd file to
>generate the NIS maps.

Ah yes, a possibility is to include the password in /etc/password, and
then filter that out again for shadow-capable hosts using /etc/ypserv.conf

> However, I would perhaps reconsider using shadow. Unless
>you're only serving up some (not root, etc.) passwords from NIS and have set up
>NIS to work this way there's no benefit to running shadow locally since NIS is
>100% insecure (ie. it'll give up password entries to anyone on your network who
>asks).

Not true. If set up correctly, it will only serve shadow maps to requests
originating from secure ports (eg < 1023), which means a root process.
Ofcourse that means you do have to trust all root users on your network.

But turning off shadow is certainly the easiest solution (shadowconfig off).
You can still have shadow-like security using /etc/ypserv.conf, a
feature unique to to the Linux NIS server.

Mike.
-- 
Indifference will certainly be the downfall of mankind, but who cares?

Reply to:

References:
- Re: Linux nis and shadow passwords, non Linux clients
  - From: "Jens B. Jorgensen" <jjorgens@bdsinc.com>

Prev by Date: Re: a history question
Next by Date: Re: safe to use postfix deb on slink?
Previous by thread: Re: Linux nis and shadow passwords, non Linux clients
Next by thread: Re: Linux nis and shadow passwords, non Linux clients
Index(es):
- Date
- Thread