Date: Wed, 22 Nov 2006 22:49:01 +0800 (WST) From: David Adam <zanchey@ucc.gu.uwa.edu.au> To: Gerrit =?ISO-8859-1?Q?K=FChn?= <gerrit@pmp.uni-hannover.de> Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf Message-ID: <Pine.LNX.4.58.0611222244580.14631@mussel.ucc.gu.uwa.edu.au> In-Reply-To: <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> References: <Pine.BSF.4.64.0611220857001.23875@earl-grey.cloud9.net> <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K=FChn wrote: > On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark@cloud9.net> > wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf: > > > MH> I'm a bit unsure about it myself. > MH> I tried exactly what you suggested, putting files on the compat line > MH> and before nis for both passwd and groups on the NIS slave server > MH> only, and no go. Perhaps it is the master server that actually > MH> controls this? I don't know. Any further advice would be greatly > MH> appreciated. > > Sorry to disturb, but I don't understand why you distribute the server's > root pw via NIS at all. Is it really shown by "ypcat passwd" on the > client? If so, how about removing it from the list of exported accounts? That's a really good point. When you consider the inherent insecurity of NIS, having a root password in the maps is a pretty bad plan anyway. Given my vague handwaving at PAM, and the fact that the OP probably has NIS as sufficient above pam_unix, the obvious solution if my unverified assertions are correct is to remove the root password from the NIS maps. David Adam zanchey@ucc.gu.uwa.edu.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.58.0611222244580.14631>