From owner-freebsd-questions Tue Mar 11 5:46: 0 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EE3C37B401 for ; Tue, 11 Mar 2003 05:45:59 -0800 (PST) Received: from mta07-svc.ntlworld.com (mta07-svc.ntlworld.com [62.253.162.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2953643FAF for ; Tue, 11 Mar 2003 05:45:58 -0800 (PST) (envelope-from scott@fishballoon.org) Received: from fishballoon.org ([81.104.195.199]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20030311134556.WPWM27269.mta07-svc.ntlworld.com@fishballoon.org>; Tue, 11 Mar 2003 13:45:56 +0000 Received: from tuatara.fishballoon.org (tuatara [192.168.1.6]) by fishballoon.org (8.12.6/8.12.6) with ESMTP id h2BDjH9A023383; Tue, 11 Mar 2003 13:45:17 GMT (envelope-from scott@tuatara.fishballoon.org) Received: (from scott@localhost) by tuatara.fishballoon.org (8.12.7/8.12.6/Submit) id h2BDjDhf055352; Tue, 11 Mar 2003 13:45:13 GMT (envelope-from scott) Date: Tue, 11 Mar 2003 13:45:13 +0000 From: Scott Mitchell To: Neeraj Arora Cc: freebsd-questions@FreeBSD.ORG Subject: Re: freebsd nis server with debian clients Message-ID: <20030311134513.GA55019@tuatara.fishballoon.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.8-PRERELEASE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Mar 11, 2003 at 01:24:15PM +1100, Neeraj Arora wrote: > This means, the libraries on Linux do not understand shadow passwords on > NIS. Thus, if I want to use shadow passwords with a Linux Machine, I have > to expose them to clients. There is a possibility that I could delete or > hide the binary ypcat from allowing users to see it, but that does not > disallow any of the users to compile their own version and retrieve > sensitive information. Could this be classified as a security hole??? This is wrong -- Linux NIS is quite happy using shadow passswords, it just implements them differently to FreeBSD. The problem is that the FreeBSD NIS Makefile does not, by default, generate the shadow.byname map that Linux clients are expecting to see. To generate this map, you need to patch /var/yp/Makefile as I described in my earlier reply to your question. The post from Mike Galvez points to a very similar patch. I should point out that I did this to support RedHat boxes here; it should work on Debian as well, but YMMV. Cheers, Scott -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott at fishballoon.org | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message