Date: Mon, 5 Mar 2001 18:38:21 +0200 (IST) From: Roman Shterenzon <roman@harmonic.co.il> To: Philip Kizer <pckizer@nostrum.com> Cc: "Brandon D. Valentine" <bandix@looksharp.net>, freebsd-questions@FreeBSD.ORG Subject: Re: NIS/YP problems on FBSD 4.2-STABLE Message-ID: <Pine.LNX.4.10.10103051836170.2661-100000@shark.harmonic.co.il> In-Reply-To: <200103040147.f241l1v45352@magus.nostrum.com>
next in thread | previous in thread | raw e-mail | index | archive | help
When the request is received from a port higher than 1024, then it's
denied (FreeBSD).
In linux implementation, when a request is received from port higher than
1024, the password field is replaced with an asterisk.
I'll have to reread what you've written and proposed to understand
whenever it answers my question.
Thanks,
On Sat, 3 Mar 2001, Philip Kizer wrote:
> Roman Shterenzon <roman@harmonic.co.il> wrote:
> >I think trhat what's missing in FreeBSD NIS implementation is the ability to
> >change password field to "x" for requests from high ports (the present
> >implementation just denies access).
> >I was looking into bringing this to FreeBSD (from linux), but unfortunately
> >didn't quite have time to get to it.
>
> I'm not sure exactly what you mean by "the present implementation just
> denies access". It's not the ypserv that 'change[s] password field to "x"',
> it's the map creation process.
>
> The FreeBSD stable ypserv Makefile will by default take the
> /var/yp/master.passwd, store it "securely" in master.passwd.by{name,uid},
> and stip out the "extra" fields to make a passwd.by{name,uid} that contains
> "*" in the passwd field. The master.passwd.* maps are retreivable only
> from privileged ports due to the YP_SECURE field.
>
> See:
>
> <http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ypserv/Makefile.yp?rev=1.31>;
> (or /var/yp/Makefile*)
>
> for deatils on the map creation process.
>
> If you want to use the same NIS server for serving passwords "securely" to
> Linux and Solaris boxes, this patch (minus some fuzz) should do the trick
> for you (note the ${S} in the mkdb command for marking the map as "secure"):
>
> --- Makefile.yp Sat Mar 3 19:42:10 2001
> +++ Makefile Sat Mar 3 19:42:29 2001
> @@ -125,0 +126,2 @@
> +TARGETS+= passwd.adjunct.byname
> +TARGETS+= shadow.byname
> @@ -587,0 +590,28 @@
> +
> +passwd.adjunct.byname: $(MASTER)
> + @echo "Updating $@..."
> +.if ${MASTER} == "/dev/null"
> + @echo "Master.passwd source file not found -- skipping"
> +.else
> + $(CAT) $(MASTER) | \
> + $(AWK) -F: 'BEGIN{OFS=":"}{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 !~ /^+/ && $$1 !~ /^-/) print $$1"\t"$$1,$$2,$$3,$$4,$$8,$$9,$$10 }' $^ \
> + | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
> + $(RMV) $(TMP) $@
> + @$(DBLOAD) -c
> + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
> + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
> +.endif
> +
> +shadow.byname: $(MASTER)
> + @echo "Updating $@..."
> +.if ${MASTER} == "/dev/null"
> + @echo "Master.passwd source file not found -- skipping"
> +.else
> + $(CAT) $(MASTER) | \
> + $(AWK) -F: 'BEGIN{OFS=":"}{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 !~ "^+" && $$1 !~ /^-/) print $$1"\t"$$1,$$2,$$6,":::",$$7,"" }' $^ \
> + | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
> + $(RMV) $(TMP) $@
> + @$(DBLOAD) -c
> + @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
> + @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
> +.endif
>
>
> Please let me know if I misunderstood you,
>
> -philip
>
> --
> Philip Kizer,
> USENIX Liaison to Texas A&M University <usenix@tamu.edu>
> Texas A&M CIS Operating Systems Group, Unix <pckizer@tamu.edu>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.10103051836170.2661-100000>