From owner-freebsd-questions@FreeBSD.ORG Thu Oct 18 15:18:54 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64FDC16A418 for ; Thu, 18 Oct 2007 15:18:54 +0000 (UTC) (envelope-from sonicy@otenet.gr) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.94]) by mx1.freebsd.org (Postfix) with ESMTP id DE9B413C457 for ; Thu, 18 Oct 2007 15:18:53 +0000 (UTC) (envelope-from sonicy@otenet.gr) Received: from atlantis.dyndns.org (athedsl-04806.home.otenet.gr [87.202.18.234]) by rosebud.otenet.gr (8.13.8/8.13.8/Debian-3) with ESMTP id l9IFIlx5030428; Thu, 18 Oct 2007 18:18:47 +0300 Message-ID: <47177956.90601@otenet.gr> Date: Thu, 18 Oct 2007 18:18:46 +0300 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.5 (X11/20070719) MIME-Version: 1.0 To: Lowell Gilbert References: <20071015054707.GA34948@parts-unknown.org> <47138DE7.80800@otenet.gr> <20071015190846.GB86225@parts-unknown.org> <4713BF9F.3050803@otenet.gr> <20071015204022.GA76464@parts-unknown.org> <200710160126.l9G1QgdW082501@banyan.cs.ait.ac.th> <47143E1A.1080000@otenet.gr> <44myuj2sw1.fsf@Lowell-Desk.lan> <4714A96F.4080309@otenet.gr> <44y7e1na2c.fsf@be-well.ilk.org> <47162791.1000201@otenet.gr> <44k5pko500.fsf@be-well.ilk.org> In-Reply-To: <44k5pko500.fsf@be-well.ilk.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2007 15:18:54 -0000 Lowell Gilbert wrote: > Manolis Kiagias writes: > > >> I have experimented a bit further with my debian NIS server, and this is >> what I found: >> >> >From a NIS client, I can do with my standard user account: >> >> sonic@atlantis:~$ ypcat passwd.byname >> user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash >> >> and I get the standard, world-readable password file (the one without >> the passwords) >> However, the standard user cannot run: >> >> This is the answer: >> sonic@atlantis:~$ ypcat shadow.byname >> No such map shadow.byname. Reason: No such map in server's domain >> >> As root, however: >> root@atlantis:~# ypcat shadow.byname >> user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:99999:7::: >> ... >> >> This seems to be consistent with the FreeBSD NIS Server behaviour >> described in nis(8) manual page: >> >> " To help prevent this, FreeBSD's NIS server handles the shadow password >> maps (master.passwd.byname and master.passwd.byuid) in a special >> way: the >> server will only provide access to these maps in response to requests >> that originate on privileged ports. Since only the super-user is >> allowed >> to bind to a privileged port, the server assumes that all such requests >> come from privileged users. All other requests are denied: >> requests from >> non-privileged ports will receive only an error code from the server." >> >> So, it seems linux handles this the same way. Difference is linux has a >> shadow.byname map while FreeBSD has a master.passwd.byname map >> (possibly also internal differences in the files) >> >> Now, if I understand correctly, If I where to add the UNSECURE feature >> in the FreeBSD server, I expect the shadow passwords would be inserted >> in the passwd.byname map which is world readable and hence a security >> issue. (Perhaps I will do this experiment next and let you know of the >> outcome) >> This is hardly important for my home server scenario, but it would be, >> should I decide to implement a FreeBSD NIS server somewhere else. >> Hence, the best possible solution would be to get a Makefile for the >> FreeBSD NIS server that would produce completely Linux compatible maps. >> > > Hmm. What you're saying makes sense; unfortunately, I haven't had a > network configured this way in a while, so I'm rather rusty on the > details. It sounds as though this is just a matter of the map names. > Perhaps you could handle that with nicknames? > > It is a matter of names, but also there are changes internally in the file. All can be handled by a modified Makefile, which I hope to be able to patch I have a few more urgent "experiments" with the test machine, so this will have to wait for a while. > I believe that the master.passwd.byname map is in the same FreeBSD- > specific format as master.passwd, but that on all systems > passwd.byname is the standard old format that YP always used. > In fact, in Linux, shadow.byname is the exact same format as /etc/shadow, so I believe your assumption about master.passwd.byname is true. > In most (not all, but most) cases, I don't think it's worth worrying > about the "secure" modes available, whether you're taking the FreeBSD > or the Linux map names and formats. It's based on the assumption that > someone untrusted can be on your network but can't use low-numbered > TCP ports. This is unusual in my experience. > True, and as I said for my home network this is more of an "academic" exercise. However considering the (probable) outcome of the UNSECURE line in Makefile, it would reduce the security of a host to pre-shadow days. The hashes would be available to anyone, and then someone could discover john the ripper and give brute force a try. This is probably something to keep in mind for more security-conscious environments. Combine it with the fact it would affect all nis clients and not a single machine, and you may get a serious security incident. > Good luck. > _______________________________________________ > > Thanks, should I decide to "wrestle" with the Makefile, I will need it :)