From owner-freebsd-isp Fri Aug 11 13:14:41 2000 Delivered-To: freebsd-isp@freebsd.org Received: from FergInc.com (toth.ferguson.com [205.139.23.69]) by hub.freebsd.org (Postfix) with ESMTP id 2E55337BB29 for ; Fri, 11 Aug 2000 13:14:29 -0700 (PDT) (envelope-from branson@FergInc.com) Received: (from branson@localhost) by FergInc.com (8.9.2/8.9.1) id QAA54685 for freebsd-isp@FreeBSD.ORG; Fri, 11 Aug 2000 16:14:27 -0400 (EDT) Date: Fri, 11 Aug 2000 16:14:27 -0400 From: Branson Matheson To: freebsd-isp@FreeBSD.ORG Subject: Re: root password in NIS maps Message-ID: <20000811161426.K2314@toth.ferginc.com> Reply-To: Branson.Matheson@FergInc.com Mail-Followup-To: freebsd-isp@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from freebsd@jnternet.net on Fri, Aug 11, 2000 at 12:03:52PM -0500 Organization: Ferguson Enterprises, Inc. X-Operating-System: FreeBSD 3.1-19990306-STABLE Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ugh.. a better solution is to use a program like sudo and runas.. using root routinely for anything is a bad idea - there is little to no tracking on what was done - the only log you have is that it was logged into - the more people that know the password the more people that can be held liable if there is a breach of security Having under NIS is bad for the below reasons .. but also because NIS is inherently insecure!!! it is not that hard to spoof an NIS client. So anyone could get root. And... Unless you have been really careful.. it would be fairly easy to bind to your server and pull your password file ( including root ) and given the speed of computers these days.. and a good dictionary and rules file .. your root password could be brute forced at some point. Better to not make it available at all.. use runas/sudo to allocate specific commands to those that need them.. impliment central syslogging so that you have a record, and go from there. As a rule .. you never want priviledged logins under a distributed login system. *possibly* LDAP .. if you have been anal retentive in setting it up. But definately not NIS. As much as a PITA as it is to maintain the apache account seperately on all hosts .. it is a better solution. ssh can be your friend for this. rdist as well.. there are any number of fairly well documented push and pull schemes out on the net using those two softwares to mass update accounts in a secure manner. - branson On Fri, Aug 11, 2000 at 12:03:52PM -0500,Nate Johnston did mutter: > On Fri, 11 Aug 2000, Evren Yurtesen wrote: > > > I would like to have root password in NIS maps but there is only one > > problem. When I login to a client machine everything works fine. I can > > even use 'su' but when I use a command like 'ls -la' I see 0 for the UID > > field of the output. > > > > Does anybody have root password in their NIS maps and it works fine? if > > yes then how??? > > Having the password for user 'root' in your NIS maps is really a bad > idea. What happens if the machine fails, and for some reason it can't > connect to the NIS server? What happens when you want to use the server > in single-user mode? > > probably the best thing to do is this: leave 'root' as a local UID 0 user > as usual. On your NIS server, create a new user that also has UID 0, but > with a centrally controlled password. Then, the local root will assert > itself in all the usual ways (UID mapping, single-user-mode passwords), > but you will be able to control root logins. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message - branson ------------------------------------------------------------------------------- Branson Matheson " If you are falling off of a mountain, Unix Systems Manager You may as well try to fly." Ferguson Enterprises, Inc. - Delenn, Minbari Ambassador ( $statements = ) !~ /Corporate Opinion/; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message