Re: shadow and nis

To: Behan Webster <behanw@verisim.com>
Cc: debian-user@lists.debian.org
Subject: Re: shadow and nis
From: "Jens B. Jorgensen" <jjorgens@bdsinc.com>
Date: Tue, 26 Aug 1997 16:02:05 -0500
Message-id: <[🔎] 3403444D.5636@bdsinc.com>
Reply-to: jjorgens@bdsinc.com
References: <[🔎] 33FCBF69.66EF7829@verisim.com> <[🔎] 19970822184637.11566.qmail@jaca.ime.usp.br> <[🔎] 340302D1.122DEF9D@verisim.com> <[🔎] 3403242D.32F1@bdsinc.com> <[🔎] 34033A99.4E7BAB4F@verisim.com>

Behan Webster wrote:
> 
> Jens B. Jorgensen wrote:
> >
> > as the last line of /etc/passwd. Now, the Sun also has shadow passwords,
> > and it's NIS (NIS+ actually) is set up to handle this. To get it to
> > work I had to build the maps *with* passwd info included, like thus
> > on the sun:
> >
> > /usr/lib/nis/nisaddent -p -f /etc/passwd.net passwd
> 
> Hmm.  That's an idea.  I could run shadow and then build a non-shadow
> passwd file from which to update nis.  That might work.  How does
> one combine the passwords from /etc/shadow with the entries in
> /etc/passwd into a third file I wonder.  This may be a job for a
> quick sh or perl script.  I'll hack one together if no one has a
> better idea.

I just deleted the awk script I used to do just this. I used it as a
one-time thing to get everyone set up under NIS. Now we're only faced
with add/moding users so I got source for passwd and modified it so that
you can pass it a filename other than /etc/passwd and we've cobbled 
together a script to set up new users.

> > with the '-p' telling it to go ahead and include the password
> > field. I tried to use shadow in the maps, but no luck. NOTE: this
> > matters little anyway since NIS (as opposed to NIS+) will give up
> > *any* map to *anyone* who asks for it. Thus NIS exposes you to
> > the same problems as non-shadow passwords. Ooops, I didn't mention
> > it before but I *am* using shadow passwords on the debian box too.
> 
> Not entirely true.  If you set up /etc/ypserv.conf properly, normal
> users will get "shadowed" passwords from the ypcommands, but root
> will get the real entry.  (There are comments in /etc/ypserv.conf
> on how to do it).  Not quite completely secure, but better than
> nothing.
> 
> e.g.
> 
> root# ypmatch user passwd
> user:k9xUnxmXGdzGM:1000:100:Joe user:/home/user:/bin/sh
> root# su - user
> user% ypmatch user passwd
> user:x:1000:100:Joe user:/home/user:/bin/sh
> 

This must rely on ident or something like it. Since it doesn't use
strong auth/crypt you still rely on the assumption that no one
can hook a machine up to your ethernet. I imagine that this assumption
holds for few sites, which is why I consider this sort of security to
be the same as no security at all. Anyone who knows enough to DL and
run a dictionary password cracker against a snarfed non-shadow 
passwd file is smart enough to set up a linux YP client on your e-net
and snarf your YP data, and the difference in the effort required is
not significant. Of course they'd have to have physical access
first.

All the same, I wonder if the Sun ypserv (or rather its equivalent
thereto) supports this same functionality? Hmmmm. 

-- 
Jens B. Jorgensen
jjorgens@bdsinc.com

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- shadow and nis
  - From: Behan Webster <behanw@verisim.com>
- Re: shadow and nis
  - From: Adriano Nagelschmidt Rodrigues <anr@ime.usp.br>
- Re: shadow and nis
  - From: Behan Webster <behanw@verisim.com>
- Re: shadow and nis
  - From: "Jens B. Jorgensen" <jjorgens@bdsinc.com>
- Re: shadow and nis
  - From: Behan Webster <behanw@verisim.com>

Prev by Date: Re: telnet with debian 1.3.1
Next by Date: Re: [Off-topic] Spam is killing me
Previous by thread: Re: shadow and nis (ps.)
Next by thread: Building Your own Boot Disks
Index(es):
- Date
- Thread