Behan Webster wrote: > > Jens B. Jorgensen wrote: > > > > as the last line of /etc/passwd. Now, the Sun also has shadow passwords, > > and it's NIS (NIS+ actually) is set up to handle this. To get it to > > work I had to build the maps *with* passwd info included, like thus > > on the sun: > > > > /usr/lib/nis/nisaddent -p -f /etc/passwd.net passwd > > Hmm. That's an idea. I could run shadow and then build a non-shadow > passwd file from which to update nis. That might work. How does > one combine the passwords from /etc/shadow with the entries in > /etc/passwd into a third file I wonder. This may be a job for a > quick sh or perl script. I'll hack one together if no one has a > better idea.
I just deleted the awk script I used to do just this. I used it as a one-time thing to get everyone set up under NIS. Now we're only faced with add/moding users so I got source for passwd and modified it so that you can pass it a filename other than /etc/passwd and we've cobbled together a script to set up new users. > > with the '-p' telling it to go ahead and include the password > > field. I tried to use shadow in the maps, but no luck. NOTE: this > > matters little anyway since NIS (as opposed to NIS+) will give up > > *any* map to *anyone* who asks for it. Thus NIS exposes you to > > the same problems as non-shadow passwords. Ooops, I didn't mention > > it before but I *am* using shadow passwords on the debian box too. > > Not entirely true. If you set up /etc/ypserv.conf properly, normal > users will get "shadowed" passwords from the ypcommands, but root > will get the real entry. (There are comments in /etc/ypserv.conf > on how to do it). Not quite completely secure, but better than > nothing. > > e.g. > > root# ypmatch user passwd > user:k9xUnxmXGdzGM:1000:100:Joe user:/home/user:/bin/sh > root# su - user > user% ypmatch user passwd > user:x:1000:100:Joe user:/home/user:/bin/sh > This must rely on ident or something like it. Since it doesn't use strong auth/crypt you still rely on the assumption that no one can hook a machine up to your ethernet. I imagine that this assumption holds for few sites, which is why I consider this sort of security to be the same as no security at all. Anyone who knows enough to DL and run a dictionary password cracker against a snarfed non-shadow passwd file is smart enough to set up a linux YP client on your e-net and snarf your YP data, and the difference in the effort required is not significant. Of course they'd have to have physical access first. All the same, I wonder if the Sun ypserv (or rather its equivalent thereto) supports this same functionality? Hmmmm. -- Jens B. Jorgensen [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
