Date: Fri, 11 Aug 2000 16:14:27 -0400 From: Branson Matheson <Branson.Matheson@FergInc.com> To: freebsd-isp@FreeBSD.ORG Subject: Re: root password in NIS maps Message-ID: <20000811161426.K2314@toth.ferginc.com> In-Reply-To: <Pine.BSF.4.21.0008111158230.29027-100000@shell01.pns.net>; from freebsd@jnternet.net on Fri, Aug 11, 2000 at 12:03:52PM -0500 References: <Pine.BSF.4.21.0008111943090.10597-100000@finland.ispro.net.tr> <Pine.BSF.4.21.0008111158230.29027-100000@shell01.pns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ugh.. a better solution is to use a program like sudo and runas..
using root routinely for anything is a bad idea
- there is little to no tracking on what was done
- the only log you have is that it was logged into
- the more people that know the password the more people that can be
held liable if there is a breach of security
Having under NIS is bad for the below reasons .. but also because NIS
is inherently insecure!!! it is not that hard to spoof an NIS
client. So anyone could get root. And... Unless you have been really
careful.. it would be fairly easy to bind to your server and pull
your password file ( including root ) and given the speed of
computers these days.. and a good dictionary and rules file .. your
root password could be brute forced at some point. Better to not make
it available at all.. use runas/sudo to allocate specific commands to
those that need them.. impliment central syslogging so that you have
a record, and go from there.
As a rule .. you never want priviledged logins under a distributed
login system. *possibly* LDAP .. if you have been anal retentive in
setting it up. But definately not NIS.
As much as a PITA as it is to maintain the apache account seperately
on all hosts .. it is a better solution. ssh can be your friend for
this. rdist as well.. there are any number of fairly well
documented push and pull schemes out on the net using those two
softwares to mass update accounts in a secure manner.
- branson
On Fri, Aug 11, 2000 at 12:03:52PM -0500,Nate Johnston did mutter:
> On Fri, 11 Aug 2000, Evren Yurtesen wrote:
>
> > I would like to have root password in NIS maps but there is only one
> > problem. When I login to a client machine everything works fine. I can
> > even use 'su' but when I use a command like 'ls -la' I see 0 for the UID
> > field of the output.
> >
> > Does anybody have root password in their NIS maps and it works fine? if
> > yes then how???
>
> Having the password for user 'root' in your NIS maps is really a bad
> idea. What happens if the machine fails, and for some reason it can't
> connect to the NIS server? What happens when you want to use the server
> in single-user mode?
>
> probably the best thing to do is this: leave 'root' as a local UID 0 user
> as usual. On your NIS server, create a new user that also has UID 0, but
> with a centrally controlled password. Then, the local root will assert
> itself in all the usual ways (UID mapping, single-user-mode passwords),
> but you will be able to control root logins.
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
- branson
-------------------------------------------------------------------------------
Branson Matheson " If you are falling off of a mountain,
Unix Systems Manager You may as well try to fly."
Ferguson Enterprises, Inc. - Delenn, Minbari Ambassador
( $statements = <BRANSON> ) !~ /Corporate Opinion/;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000811161426.K2314>