From owner-freebsd-stable@FreeBSD.ORG Thu Nov 23 07:02:38 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 367D116A407 for ; Thu, 23 Nov 2006 07:02:38 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from saturn.interami.com (saturn.interami.com [193.41.48.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE99D43D4C for ; Thu, 23 Nov 2006 07:02:03 +0000 (GMT) (envelope-from artem@aws-net.org.ua) Received: from sigma.interami.com (sigma.interami.com [193.41.48.133]) by saturn.interami.com (8.13.1/8.13.1) with ESMTP id kAN72Sl0029406; Thu, 23 Nov 2006 09:02:28 +0200 (EET) (envelope-from artem@aws-net.org.ua) Received: from 217.12.197.82 (SquirrelMail authenticated user artem) by sigma.interami.com with HTTP; Thu, 23 Nov 2006 09:02:29 +0200 (EET) Message-ID: <54361.217.12.197.82.1164265349.squirrel@sigma.interami.com> In-Reply-To: References: <20061122154006.1ff46918.gerrit@pmp.uni-hannover.de> Date: Thu, 23 Nov 2006 09:02:29 +0200 (EET) From: "Artyom Viklenko" To: zanchey@ucc.gu.uwa.edu.au User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-0.4 required=8.0 tests=AWL autolearn=disabled version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on saturn.interami.com X-Antivirus: Dr.Web (R) for Mail Servers on saturn.interami.com host X-Antivirus-Code: 100000 Cc: =?utf-8?B?R2Vycml0IEvDvGhu?= , freebsd-stable@freebsd.org Subject: Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 07:02:38 -0000 > On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K�hn wrote: > >> On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy >> wrote about Re: FreeBSD 6.x, NIS, local root password, and >> nsswitch.conf: >> >> >> MH> I'm a bit unsure about it myself. >> MH> I tried exactly what you suggested, putting files on the compat line >> MH> and before nis for both passwd and groups on the NIS slave server >> MH> only, and no go. Perhaps it is the master server that actually >> MH> controls this? I don't know. Any further advice would be greatly >> MH> appreciated. >> >> Sorry to disturb, but I don't understand why you distribute the server's >> root pw via NIS at all. Is it really shown by "ypcat passwd" on the >> client? If so, how about removing it from the list of exported accounts? > > That's a really good point. When you consider the inherent insecurity of > NIS, having a root password in the maps is a pretty bad plan anyway. > > Given my vague handwaving at PAM, and the fact that the OP probably has > NIS as sufficient above pam_unix, the obvious solution if my unverified > assertions are correct is to remove the root password from the NIS maps. Sure. In my case, there is separate master.passwd and group files in /var/yp directory. All regular user accounts (typically with uid=>1000) resides here. Same for groups. In local /etc/master.passwd resides only system accounts and some accounts for applications. This works for 4.x, 5.x, 6.x without problems. I even have Linux clients authorising against FreeBSD NIS servers. (Some modifications to /var/yp/Makefile needed). So, from interoperability and security points of view, much better to separate system accounts and keep them localy. -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org