Re: Linux nis and shadow passwords, non Linux clients
Nils Rennebarth wrote:
> On Thu, Apr 22, 1999 at 10:01:53AM -0500, Jens B. Jorgensen wrote:
> > Hmmm, perhaps you'll have to generate your own intermediate passwd file to
> > generate the NIS maps. However, I would perhaps reconsider using shadow. Unless
> > you're only serving up some (not root, etc.) passwords from NIS and have set up
> > NIS to work this way there's no benefit to running shadow locally since NIS is
> > 100% insecure (ie. it'll give up password entries to anyone on your network who
> > asks).
> What I'm worrying about is that a remote cracker guesses a local password
> then logs in on our server and snatches the passwd file to crack the root
> account (not that root has a password that I expect someone to crack, but
> who knows..)
>
> The way it runs currenty, a remote user has to crack a local root account,
> to "ask" for the encrypted passwords.
>
> And yes, I do only serve user passwords > id 100 by NIS.
Understood. Actually, I do something similar: we use NIS behind the firewall but the
firewall machine itself is an NIS client. In our situation things were a little
backwards though because we had a Sun serving up the NIS maps and linux boxen as
clients. The sun supports shadow but shadow maps are only served through NIS+.
Unfortunately, NIS+ support is just now coming together in Linux. This is all
academic though...
So, whatcha need to do is customize your /var/yp/Makefile which builds the actual db
files. If you open up your /var/yp/Makefile you'll find something like (snipped from
my own file):
passwd.byname: $(PASSWD) $(YPDIR)/Makefile
@echo "Updating $@..."
@$(UMASK); \
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
print $$1"\t"$$0 }' $(PASSWD) | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
passwd.byuid: $(PASSWD) $(YPDIR)/Makefile
@echo "Updating $@..."
@$(UMASK); \
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
print $$3"\t"$$0 }' $(PASSWD) | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
All we need to do is to pull the password field out of /etc/shadow and join it
together with the rest of the data in /etc/passwd before putting it into the db file.
We can easily do this using the join command so we modify the the above to:
passwd.byname: $(PASSWD) $(SHADOW) $(YPDIR)/Makefile
@echo "Updating $@..."
@$(UMASK); \
/usr/bin/join -t : -j 1 -o 1.1 2.2 1.3 1.4 1.5 1.6 1.7 $(PASSWD) $(SHADOW) |
\
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
print $$1"\t"$$0 }' | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
passwd.byuid: $(PASSWD) $(SHADOW) $(YPDIR)/Makefile
@echo "Updating $@..."
@$(UMASK); \
/usr/bin/join -t : -j 1 -o 1.1 2.2 1.3 1.4 1.5 1.6 1.7 $(PASSWD) $(SHADOW) |
\
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
print $$3"\t"$$0 }' | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
I haven't tested the above (except for the join command itself) but I believe it'll
do just exactly right.
--
Jens B. Jorgensen
jjorgens@bdsinc.com
Reply to: