Date: Wed, 17 Oct 2007 09:29:47 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Manolis Kiagias <sonicy@otenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS Message-ID: <44y7e1na2c.fsf@be-well.ilk.org> In-Reply-To: <4714A96F.4080309@otenet.gr> (Manolis Kiagias's message of "Tue\, 16 Oct 2007 15\:07\:11 %2B0300") References: <20071015054707.GA34948@parts-unknown.org> <47138DE7.80800@otenet.gr> <20071015190846.GB86225@parts-unknown.org> <4713BF9F.3050803@otenet.gr> <20071015204022.GA76464@parts-unknown.org> <200710160126.l9G1QgdW082501@banyan.cs.ait.ac.th> <47143E1A.1080000@otenet.gr> <44myuj2sw1.fsf@Lowell-Desk.lan> <4714A96F.4080309@otenet.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Manolis Kiagias <sonicy@otenet.gr> writes: > I've read this the first time I tried and decided not to go with it. > The manual says: > "If you plan to use a FreeBSD system to serve non-FreeBSD > clients that have no support for password shadowing (which is > most of them), you will have to disable the password shadowing > entirely by uncommenting the UNSECURE=True entry in > /var/yp/Makefile." > > Linux certainly uses password shadowing, and I can see in my debian > server maps passwd.byname and shadow.byname files > If I perform ypcat passwd.byname from a client I get the standard passwd > file with no passwords (exactly like /etc/passwd) > The encrypted passwords are in the shadow.byname map. > > Now, if I understand correctly, the above solution would put the > passwords in the passwd.byname map, thus making the system less secure, > where in fact I should be able to make FreeBSD export a shadow.byname > map that would be compatible with Linux. > Am I missing something here / are my assumptions wrong? I think you are assuming that Linux uses password shadowing over NIS. This is not possible, and no system does it. The FreeBSD security method in question just forces requests for the password maps to come from privileged ports. This is a very minor security method, and other systems don't support it. Fundamentally, NIS assumes that you trust the machines you are serving. Or at least are willing to let them have the encrypted passwords. No OS can change this; it's not a Linux/FreeBSD issue.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44y7e1na2c.fsf>