Date: Thu, 23 Nov 2006 09:02:29 +0200 (EET) From: "Artyom Viklenko" <artem@aws-net.org.ua> To: zanchey@ucc.gu.uwa.edu.au Cc: =?utf-8?B?R2Vycml0IEvDvGhu?= <gerrit@pmp.uni-hannover.de>, freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf Message-ID: <54361.217.12.197.82.1164265349.squirrel@sigma.interami.com> In-Reply-To: <Pine.LNX.4.58.0611222244580.14631@mussel.ucc.gu.uwa.edu.au> References: <Pine.BSF.4.64.0611220857001.23875@earl-grey.cloud9.net> <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> <Pine.LNX.4.58.0611222244580.14631@mussel.ucc.gu.uwa.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
<quote who="David Adam">
> On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K�hn wrote:
>
>> On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark@cloud9.net>
>> wrote about Re: FreeBSD 6.x, NIS, local root password, and
>> nsswitch.conf:
>>
>>
>> MH> I'm a bit unsure about it myself.
>> MH> I tried exactly what you suggested, putting files on the compat line
>> MH> and before nis for both passwd and groups on the NIS slave server
>> MH> only, and no go. Perhaps it is the master server that actually
>> MH> controls this? I don't know. Any further advice would be greatly
>> MH> appreciated.
>>
>> Sorry to disturb, but I don't understand why you distribute the server's
>> root pw via NIS at all. Is it really shown by "ypcat passwd" on the
>> client? If so, how about removing it from the list of exported accounts?
>
> That's a really good point. When you consider the inherent insecurity of
> NIS, having a root password in the maps is a pretty bad plan anyway.
>
> Given my vague handwaving at PAM, and the fact that the OP probably has
> NIS as sufficient above pam_unix, the obvious solution if my unverified
> assertions are correct is to remove the root password from the NIS maps.
Sure. In my case, there is separate master.passwd and group files in
/var/yp directory. All regular user accounts (typically with uid=>1000)
resides here. Same for groups. In local /etc/master.passwd resides only
system accounts and some accounts for applications.
This works for 4.x, 5.x, 6.x without problems. I even have Linux
clients authorising against FreeBSD NIS servers.
(Some modifications to /var/yp/Makefile needed).
So, from interoperability and security points of view,
much better to separate system accounts and keep them localy.
--
Sincerely yours,
Artyom Viklenko.
-------------------------------------------------------
artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54361.217.12.197.82.1164265349.squirrel>