Date: Wed, 17 Oct 2007 18:17:37 +0300 From: Manolis Kiagias <sonicy@otenet.gr> To: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> Cc: freebsd-questions@freebsd.org Subject: Re: NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS Message-ID: <47162791.1000201@otenet.gr> In-Reply-To: <44y7e1na2c.fsf@be-well.ilk.org> References: <20071015054707.GA34948@parts-unknown.org> <47138DE7.80800@otenet.gr> <20071015190846.GB86225@parts-unknown.org> <4713BF9F.3050803@otenet.gr> <20071015204022.GA76464@parts-unknown.org> <200710160126.l9G1QgdW082501@banyan.cs.ait.ac.th> <47143E1A.1080000@otenet.gr> <44myuj2sw1.fsf@Lowell-Desk.lan> <4714A96F.4080309@otenet.gr> <44y7e1na2c.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert wrote:
> Manolis Kiagias <sonicy@otenet.gr> writes:
>
>
>> I've read this the first time I tried and decided not to go with it.
>> The manual says:
>> "If you plan to use a FreeBSD system to serve non-FreeBSD
>> clients that have no support for password shadowing (which is
>> most of them), you will have to disable the password shadowing
>> entirely by uncommenting the UNSECURE=True entry in
>> /var/yp/Makefile."
>>
>> Linux certainly uses password shadowing, and I can see in my debian
>> server maps passwd.byname and shadow.byname files
>> If I perform ypcat passwd.byname from a client I get the standard passwd
>> file with no passwords (exactly like /etc/passwd)
>> The encrypted passwords are in the shadow.byname map.
>>
>> Now, if I understand correctly, the above solution would put the
>> passwords in the passwd.byname map, thus making the system less secure,
>> where in fact I should be able to make FreeBSD export a shadow.byname
>> map that would be compatible with Linux.
>> Am I missing something here / are my assumptions wrong?
>>
>
> I think you are assuming that Linux uses password shadowing over NIS.
> This is not possible, and no system does it.
>
> The FreeBSD security method in question just forces requests for the
> password maps to come from privileged ports. This is a very minor
> security method, and other systems don't support it.
>
> Fundamentally, NIS assumes that you trust the machines you are
> serving. Or at least are willing to let them have the encrypted
> passwords. No OS can change this; it's not a Linux/FreeBSD issue.
>
>
>
I have experimented a bit further with my debian NIS server, and this is
what I found:
>From a NIS client, I can do with my standard user account:
sonic@atlantis:~$ ypcat passwd.byname
user1:x:1010:1010:Joe User,,,:/home/user1:/bin/bash
and I get the standard, world-readable password file (the one without
the passwords)
However, the standard user cannot run:
This is the answer:
sonic@atlantis:~$ ypcat shadow.byname
No such map shadow.byname. Reason: No such map in server's domain
As root, however:
root@atlantis:~# ypcat shadow.byname
user1:$1$1233245435435345543545345sfsdfsfdf:13577:0:99999:7:::
...
This seems to be consistent with the FreeBSD NIS Server behaviour
described in nis(8) manual page:
" To help prevent this, FreeBSD's NIS server handles the shadow password
maps (master.passwd.byname and master.passwd.byuid) in a special
way: the
server will only provide access to these maps in response to requests
that originate on privileged ports. Since only the super-user is
allowed
to bind to a privileged port, the server assumes that all such requests
come from privileged users. All other requests are denied:
requests from
non-privileged ports will receive only an error code from the server."
So, it seems linux handles this the same way. Difference is linux has a
shadow.byname map while FreeBSD has a master.passwd.byname map
(possibly also internal differences in the files)
Now, if I understand correctly, If I where to add the UNSECURE feature
in the FreeBSD server, I expect the shadow passwords would be inserted
in the passwd.byname map which is world readable and hence a security
issue. (Perhaps I will do this experiment next and let you know of the
outcome)
This is hardly important for my home server scenario, but it would be,
should I decide to implement a FreeBSD NIS server somewhere else.
Hence, the best possible solution would be to get a Makefile for the
FreeBSD NIS server that would produce completely Linux compatible maps.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47162791.1000201>