FreeBSD 6.x, NIS, local root password, and nsswitch.conf

David Adam zanchey at
Wed Nov 22 06:50:01 PST 2006

On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K=FChn wrote:

> On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark at>
> wrote about Re: FreeBSD 6.x, NIS, local root password, and nsswitch.conf:
> MH> I'm a bit unsure about it myself.
> MH> I tried exactly what you suggested, putting files on the compat line
> MH> and before nis for both passwd and groups on the NIS slave server
> MH> only, and no go.  Perhaps it is the master server that actually
> MH> controls this? I don't know.  Any further advice would be greatly
> MH> appreciated.
> Sorry to disturb, but I don't understand why you distribute the server's
> root pw via NIS at all. Is it really shown by "ypcat passwd" on the
> client? If so, how about removing it from the list of exported accounts?

That's a really good point. When you consider the inherent insecurity of
NIS, having a root password in the maps is a pretty bad plan anyway.

Given my vague handwaving at PAM, and the fact that the OP probably has
NIS as sufficient above pam_unix, the obvious solution if my unverified
assertions are correct is to remove the root password from the NIS maps.

David Adam
zanchey at

More information about the freebsd-stable mailing list