Re: shadow and nis
Behan Webster wrote:
>
> Jens B. Jorgensen wrote:
> >
> > as the last line of /etc/passwd. Now, the Sun also has shadow passwords,
> > and it's NIS (NIS+ actually) is set up to handle this. To get it to
> > work I had to build the maps *with* passwd info included, like thus
> > on the sun:
> >
> > /usr/lib/nis/nisaddent -p -f /etc/passwd.net passwd
>
> Hmm. That's an idea. I could run shadow and then build a non-shadow
> passwd file from which to update nis. That might work. How does
> one combine the passwords from /etc/shadow with the entries in
> /etc/passwd into a third file I wonder. This may be a job for a
> quick sh or perl script. I'll hack one together if no one has a
> better idea.
I just deleted the awk script I used to do just this. I used it as a
one-time thing to get everyone set up under NIS. Now we're only faced
with add/moding users so I got source for passwd and modified it so that
you can pass it a filename other than /etc/passwd and we've cobbled
together a script to set up new users.
> > with the '-p' telling it to go ahead and include the password
> > field. I tried to use shadow in the maps, but no luck. NOTE: this
> > matters little anyway since NIS (as opposed to NIS+) will give up
> > *any* map to *anyone* who asks for it. Thus NIS exposes you to
> > the same problems as non-shadow passwords. Ooops, I didn't mention
> > it before but I *am* using shadow passwords on the debian box too.
>
> Not entirely true. If you set up /etc/ypserv.conf properly, normal
> users will get "shadowed" passwords from the ypcommands, but root
> will get the real entry. (There are comments in /etc/ypserv.conf
> on how to do it). Not quite completely secure, but better than
> nothing.
>
> e.g.
>
> root# ypmatch user passwd
> user:k9xUnxmXGdzGM:1000:100:Joe user:/home/user:/bin/sh
> root# su - user
> user% ypmatch user passwd
> user:x:1000:100:Joe user:/home/user:/bin/sh
>
This must rely on ident or something like it. Since it doesn't use
strong auth/crypt you still rely on the assumption that no one
can hook a machine up to your ethernet. I imagine that this assumption
holds for few sites, which is why I consider this sort of security to
be the same as no security at all. Anyone who knows enough to DL and
run a dictionary password cracker against a snarfed non-shadow
passwd file is smart enough to set up a linux YP client on your e-net
and snarf your YP data, and the difference in the effort required is
not significant. Of course they'd have to have physical access
first.
All the same, I wonder if the Sun ypserv (or rather its equivalent
thereto) supports this same functionality? Hmmmm.
--
Jens B. Jorgensen
jjorgens@bdsinc.com
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: