FreeBSD 6.x, NIS, local root password, and nsswitch.conf
artem at aws-net.org.ua
Wed Nov 22 23:02:38 PST 2006
<quote who="David Adam">
> On Wed, 22 Nov 2006, Gerrit [ISO-8859-1] K�hn wrote:
>> On Wed, 22 Nov 2006 09:07:34 -0500 (EST) Mark Hennessy <mark at cloud9.net>
>> wrote about Re: FreeBSD 6.x, NIS, local root password, and
>> MH> I'm a bit unsure about it myself.
>> MH> I tried exactly what you suggested, putting files on the compat line
>> MH> and before nis for both passwd and groups on the NIS slave server
>> MH> only, and no go. Perhaps it is the master server that actually
>> MH> controls this? I don't know. Any further advice would be greatly
>> MH> appreciated.
>> Sorry to disturb, but I don't understand why you distribute the server's
>> root pw via NIS at all. Is it really shown by "ypcat passwd" on the
>> client? If so, how about removing it from the list of exported accounts?
> That's a really good point. When you consider the inherent insecurity of
> NIS, having a root password in the maps is a pretty bad plan anyway.
> Given my vague handwaving at PAM, and the fact that the OP probably has
> NIS as sufficient above pam_unix, the obvious solution if my unverified
> assertions are correct is to remove the root password from the NIS maps.
Sure. In my case, there is separate master.passwd and group files in
/var/yp directory. All regular user accounts (typically with uid=>1000)
resides here. Same for groups. In local /etc/master.passwd resides only
system accounts and some accounts for applications.
This works for 4.x, 5.x, 6.x without problems. I even have Linux
clients authorising against FreeBSD NIS servers.
(Some modifications to /var/yp/Makefile needed).
So, from interoperability and security points of view,
much better to separate system accounts and keep them localy.
artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve - http://www.freebsd.org
More information about the freebsd-stable