NIS interoperability with Linux, was Re: Following directions doesn't seem to work: Adding users in NIS

Lowell Gilbert freebsd-questions-local at
Wed Oct 17 06:29:48 PDT 2007

Manolis Kiagias <sonicy at> writes:

> I've read this the first time I tried and decided not to go with it.
> The manual says:
> "If you plan to use a FreeBSD system to serve non-FreeBSD
> clients that have no support for password shadowing (which is
> most of them), you will have to disable the password shadowing
> entirely by uncommenting the UNSECURE=True entry in
>  /var/yp/Makefile."
> Linux certainly uses password shadowing, and I can see in my debian
> server maps passwd.byname and shadow.byname files
> If I perform ypcat passwd.byname from a client I get the standard passwd
> file with no passwords (exactly like /etc/passwd)
> The encrypted passwords are in the shadow.byname map.
> Now, if I understand correctly, the above solution would put the
> passwords in the passwd.byname map, thus making the system less secure,
> where in fact I should be able to make FreeBSD export a shadow.byname
> map that would be compatible with Linux.
> Am I missing something here / are my assumptions wrong?

I think you are assuming that Linux uses password shadowing over NIS.
This is not possible, and no system does it.

The FreeBSD security method in question just forces requests for the
password maps to come from privileged ports.  This is a very minor
security method, and other systems don't support it.

Fundamentally, NIS assumes that you trust the machines you are
serving.  Or at least are willing to let them have the encrypted
passwords.  No OS can change this; it's not a Linux/FreeBSD issue.  

More information about the freebsd-questions mailing list