From owner-freebsd-questions Wed Aug 15 19: 8: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 8CDFB37B40A for ; Wed, 15 Aug 2001 19:08:05 -0700 (PDT) (envelope-from christopher@schulte.org) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 95570D15B0 for ; Wed, 15 Aug 2001 21:07:54 -0500 (CDT) Message-Id: <5.1.0.14.0.20010815204310.027a3bb8@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 15 Aug 2001 21:07:54 -0500 To: freebsd-questions@FreeBSD.ORG From: Christopher Schulte Subject: NIS implementation question (system VS map passwords) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks in advance to all who read enough of this to understand what I'm doing! I have 2 machines that use NIS. a) server b) client Server does things like email[pop and smtp], dns, web, nfs export of /usr/home, etc. Client is a public box which users can shell into and read email, upload files, etc. I want an NIS setup which fulfills these two primary requirements 1) The server only exports user accounts (no admin accounts from server, ala root and such) 2) The client is able to update user passwords via yppasswd on client and rpc.yppasswdd on server. a) Both the nis maps AND system account passwords must be changed One solution which does not fulfill both is: 1) run rpc.yppasswd on server with '-t /etc/master.passwd' so password updates will enter into server's account database 2) tell server to use /etc/master.passwd to build NIS maps for export. The main drawback is that all accounts (including server's root) are available to the client via ypcat if the system was compromised. Here, Users can change both NIS and system account passwords. This is important, since services like pop3 on server need updated passwords. And shell/ftp need the same on the client. The obvious solution is to cp /etc/master.passwd to /var/yp and edit out the admin accounts before building NIS maps. But then my users can only use yppasswd on client to update /var/yp/master.passwd (which grants access to shell) and not nis server's /etc/master.passwd (used to access pop3 on server). So, to cut right to the chase: Can I tell ypserv to serve only a subset of /etc/master.passwd, OR Tell rpc.yppasswdd to propogate changes to /var/yp/master.passwd to /etc/master.passwd and run pwd_mkdb ? Or is there another way which I'm not considering? Thanks! -- Christopher Schulte Finger for PGP key, or for UNIX impaired: http://noc.schulte.org/cgi-bin/noc/finger.cgi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message