From owner-freebsd-questions@FreeBSD.ORG Wed Oct 17 15:17:43 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D326E16A473 for ; Wed, 17 Oct 2007 15:17:43 +0000 (UTC) (envelope-from sonicy@otenet.gr) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.93]) by mx1.freebsd.org (Postfix) with ESMTP id 28B9113C4A6 for ; Wed, 17 Oct 2007 15:17:42 +0000 (UTC) (envelope-from sonicy@otenet.gr) Received: from atlantis.dyndns.org (athedsl-04806.home.otenet.gr [87.202.18.234]) by aiolos.otenet.gr (8.13.8/8.13.8/Debian-3) with ESMTP id l9HFHcIA013610; Wed, 17 Oct 2007 18:17:38 +0300 Message-ID: <47162791.1000201@otenet.gr> Date: Wed, 17 Oct 2007 18:17:37 +0300 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.5 (X11/20070719) MIME-Version: 1.0 To: Lowell Gilbert References: <20071015054707.GA34948@parts-unknown.org> <47138DE7.80800@otenet.gr> <20071015190846.GB86225@parts-unknown.org> <4713BF9F.3050803@otenet.gr> <20071015204022.GA76464@parts-unknown.org> <200710160126.l9G1QgdW082501@banyan.cs.ait.ac.th> <47143E1A.1080000@otenet.gr> <44myuj2sw1.fsf@Lowell-Desk.lan> <4714A96F.4080309@otenet.gr> <44y7e1na2c.fsf@be-well.ilk.org> In-Reply-To: <44y7e1na2c.fsf@be-well.ilk.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2007 15:17:43 -0000 Lowell Gilbert wrote: > Manolis Kiagias writes: > > >> I've read this the first time I tried and decided not to go with it. >> The manual says: >> "If you plan to use a FreeBSD system to serve non-FreeBSD >> clients that have no support for password shadowing (which is >> most of them), you will have to disable the password shadowing >> entirely by uncommenting the UNSECURE=True entry in >> /var/yp/Makefile." >> >> Linux certainly uses password shadowing, and I can see in my debian >> server maps passwd.byname and shadow.byname files >> If I perform ypcat passwd.byname from a client I get the standard passwd >> file with no passwords (exactly like /etc/passwd) >> The encrypted passwords are in the shadow.byname map. >> >> Now, if I understand correctly, the above solution would put the >> passwords in the passwd.byname map, thus making the system less secure, >> where in fact I should be able to make FreeBSD export a shadow.byname >> map that would be compatible with Linux. >> Am I missing something here / are my assumptions wrong? >> > > I think you are assuming that Linux uses password shadowing over NIS. > This is not possible, and no system does it. > > The FreeBSD security method in question just forces requests for the > password maps to come from privileged ports. This is a very minor > security method, and other systems don't support it. > > Fundamentally, NIS assumes that you trust the machines you are > serving. Or at least are willing to let them have the encrypted > passwords. No OS can change this; it's not a Linux/FreeBSD issue. > > > I have experimented a bit further with my debian NIS server, and this is what I found: >From a NIS client, I can do with my standard user account: sonic@atlantis:~$ ypcat passwd.byname user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash and I get the standard, world-readable password file (the one without the passwords) However, the standard user cannot run: This is the answer: sonic@atlantis:~$ ypcat shadow.byname No such map shadow.byname. Reason: No such map in server's domain As root, however: root@atlantis:~# ypcat shadow.byname user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:99999:7::: ... This seems to be consistent with the FreeBSD NIS Server behaviour described in nis(8) manual page: " To help prevent this, FreeBSD's NIS server handles the shadow password maps (master.passwd.byname and master.passwd.byuid) in a special way: the server will only provide access to these maps in response to requests that originate on privileged ports. Since only the super-user is allowed to bind to a privileged port, the server assumes that all such requests come from privileged users. All other requests are denied: requests from non-privileged ports will receive only an error code from the server." So, it seems linux handles this the same way. Difference is linux has a shadow.byname map while FreeBSD has a master.passwd.byname map (possibly also internal differences in the files) Now, if I understand correctly, If I where to add the UNSECURE feature in the FreeBSD server, I expect the shadow passwords would be inserted in the passwd.byname map which is world readable and hence a security issue. (Perhaps I will do this experiment next and let you know of the outcome) This is hardly important for my home server scenario, but it would be, should I decide to implement a FreeBSD NIS server somewhere else. Hence, the best possible solution would be to get a Makefile for the FreeBSD NIS server that would produce completely Linux compatible maps.