>>>>> "Joseph" == Joseph Heenan <[EMAIL PROTECTED]> writes:
>> I've installed NIS, but I can't prevent the shadow file of
>> being public now:( Anybody on my machine can do "ypcat
>> shadow.byname" and start cracking those passwords. I thought
>> the hole point of shadow was to let nobody but root see
>> it. It's not a problem yet, I trust my wife and kids, but I
>> would be happier if it were hidden.
>>
>> Or maybe I should consider switching to something else like
>> Kerberos or PAM?
>>
>> I'm still running mainly Ham (eagerly waiting for potato to
>> become stable:) but have upgraded things, e.g libc
Joseph> I'm running the latest potato, and it behaves correctly
Joseph> for me. ypcat shadow.byname shows the file when run as
Joseph> root, but not when run as a normal user. For lack of a
Joseph> better suggestion, perhaps try upgrading to the potato nis
Joseph> package?
I think it is configured in /etc/ypserv.conf (at least on slink).
I have:
* : shadow.byname : port
* : passwd.adjunct.byname : port
* : * : none
Note: this only offers extra security when you trust the security of
the network and every computer that is connected to the network that
has NIS access.
As the maintainer of Heimdal ;-), I think that Kerberos is the best
way to authenticate users, but even then you will have problems with
the authorization data (eg user IDs). I think LDAP is a secure way of
distributing authorization information (instead of NIS), but haven't
yet tried it (but plan to ASAP). At the moment, I have modified
openldap so that it will link against heimdal, but need to fix a minor
packaging bug (the ud binary wasn't created, whatever that does).
--
Brian May <[EMAIL PROTECTED]>
