Hi, I am working on an entry for the FAQ for the OpenBSD NIS/YP tools.
What I have always done on solaris NIS servers is to distribute a custom set of maps in a directory different to /etc. This means that you don't have to expose root's password hash, which I see as a very sensible thing to do. I was hoping in theory that I could just change DIR in /var/yp/`domainname` to point at something else, but apparently not. ---8<--- # pwd /var/yp/puffnet # make couldn't find /etc/puffnet_nis/master.passwd couldn't find /etc/puffnet_nis/group couldn't find /etc/puffnet_nis/hosts couldn't find /etc/puffnet_nis/ethers couldn't find /etc/puffnet_nis/networks couldn't find /etc/puffnet_nis/rpc couldn't find /etc/puffnet_nis/services couldn't find /etc/puffnet_nis/protocols mknetid: can't open file "/etc/puffnet_nis/passwd" updated netid pushed netid couldn't find /etc/puffnet_nis/netgroup couldn't find /etc/amd/amd.home couldn't find /etc/puffnet_nis/mail/aliases # ls -al /etc/puffnet_nis/ total 16 drwxr-xr-x 2 root wheel 512 Feb 16 19:04 . drwxr-xr-x 33 root wheel 3072 Feb 16 19:20 .. -rwxrwxrwx 1 root wheel 42 Feb 16 19:05 passwd ---8<--- Not sure why that is failing. Does the list think that this would be a useful feature to have? I do :) Also while I am on the subject of NIS, some other miscellaneous queries: * As far as I can see OpenBSD can not read solaris automount maps. Is this correct? * OpenBSD NIS servers do not support "c2 security" (http://docs.sun.com/app/docs/doc/816-4556/anis2-25789?l=en&a=view). Correct? * You can marginally improve the security of nis servers and clients by chmoding ypcat to 700 therefore only alowing root to obtain password hashes on that system. Is there any reason this can not be implemented on defaulrt install? Thanks -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett
