FreeBSD 6.x, NIS, local root password, and nsswitch.conf
David Adam
zanchey at ucc.gu.uwa.edu.au
Wed Nov 22 06:50:01 PST 2006
On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K=FChn wrote:
> On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark at cloud9.net>
> wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf:
>
>
> MH> I'm a bit unsure about it myself.
> MH> I tried exactly what you suggested, putting files on the compat line
> MH> and before nis for both passwd and groups on the NIS slave server
> MH> only, and no go. Perhaps it is the master server that actually
> MH> controls this? I don't know. Any further advice would be greatly
> MH> appreciated.
>
> Sorry to disturb, but I don't understand why you distribute the server's
> root pw via NIS at all. Is it really shown by "ypcat passwd" on the
> client? If so, how about removing it from the list of exported accounts?
That's a really good point. When you consider the inherent insecurity of
NIS, having a root password in the maps is a pretty bad plan anyway.
Given my vague handwaving at PAM, and the fact that the OP probably has
NIS as sufficient above pam_unix, the obvious solution if my unverified
assertions are correct is to remove the root password from the NIS maps.
David Adam
zanchey at ucc.gu.uwa.edu.au
More information about the freebsd-stable
mailing list