by Serkan AK?I » Tue, 28 Dec 1999 04:00:00
Hi,
We are using NIS on our unix systems.
I use pwconv to enable shadow.
Then copy the shadow file to the NIS dir.
Then I made "make".
Now noone can reach the to shadow as "-rw-------"
But anyone can reach the joined file (passwd && shadow)
by "ypcat -t passwd.byname".
So installing shadow isn't important.
Or am i doing a wrong think?
----------------
Serkan AK?IN
by JK » Fri, 31 Dec 1999 04:00:00
> Hi,
> We are using NIS on our unix systems.
> I use pwconv to enable shadow.
> Then copy the shadow file to the NIS dir.
> Then I made "make".
> Now noone can reach the to shadow as "-rw-------"
> But anyone can reach the joined file (passwd && shadow)
> by "ypcat -t passwd.byname".
> So installing shadow isn't important.
> Or am i doing a wrong think?
Look in nsswitch.conf and find the line that begins with "passwd:".
That entry determines where your system looks for passwords. If just
the word "nis" or "nisplus" appears after the word "passwd:" then your
system won't look in the shadow file when somebody tries to login. If
just the word "files" appears, then the system will check the shadow
file but won't check NIS. If both "files" and "nis" (or "nisplus")
appear, then the system will check both entities in the order they are
specified.
The practical upshot is that you can put "passwd: files nis" in the
nsswitch.conf file and then put a few users (root, yourself, another
sysad) in the passwd and shadow files. That way, if NIS ever stops
working, for whatever reason, those people will still be able to login.
If nsswitch.conf has "passwd: nis" in it, then *nobody* will be able to
login when NIS is down.
by Yang Wen Yon » Tue, 04 Jan 2000 04:00:00
> We are using NIS on our unix systems.
> I use pwconv to enable shadow.
> Then copy the shadow file to the NIS dir.
> Then I made "make".
> Now noone can reach the to shadow as "-rw-------"
> But anyone can reach the joined file (passwd && shadow)
> by "ypcat -t passwd.byname".
> So installing shadow isn't important.
> Or am i doing a wrong think?
> ----------------
> Serkan AK?IN
by Yang Wen Yon » Wed, 05 Jan 2000 04:00:00
NIS has a very big problem is its security. All users in your network
can read the joined files (passwd.byname and passwd.byuid) and the
passwords will tranport through the network in plain text. If you need
more high security, please migrant your system to NIS+.
What I want to do is , preventing users to see the crypted passwords by
using ypcat..
1. Install system , with shadow enabled.
2. Copy /etc/passwd to /var/yp
3. Install NIS (make)
are these steps enough to hide crypted passwords..
----- Original Message -----
Newsgroups: comp.unix.solaris
Sent: Monday, January 03, 2000 12:34 PM
Subject: Re: NIS security && shadow
> After you migrant your name service from Local file system to NIS, all
> information will store in NIS map files, and the shadow file will have
> no use again. In fact, as you know, the system will use the joined
files
> (passwd.byname and passwd.byuid ) to do athentication but not
> /etc/passwd and /etc/shadow. You don't need to copy /etc/shadow to
> /var/yp directory. Installing shadow is important before you migrant
to
> NIS.
> > Hi,
> > We are using NIS on our unix systems.
> > I use pwconv to enable shadow.
> > Then copy the shadow file to the NIS dir.
> > Then I made "make".
> > Now noone can reach the to shadow as "-rw-------"
> > But anyone can reach the joined file (passwd && shadow)
> > by "ypcat -t passwd.byname".
> > So installing shadow isn't important.
> > Or am i doing a wrong think?
> > ----------------
> > Serkan AK?IN
by chris ulri » Sun, 09 Jan 2000 04:00:00
This is not correct.
On solaris it is possible to make an NIS map that is only accessable
by uid 0 processes. The shadow files can be distributed using this
feature, making it impossible for standard users to access the crypt
strings. This is standard in solaris. Some other unixes have similar
abilities.
It is true that with the standard implementation of NIS, the dbm files
transit the network in clear text, including the dbm file that has the
encrypted passwords. Of course, *lots* of passwords transit the network
in clear text anyhow, and they are in really clear text, not just clear
to read the crypt strings.
It is trivial to implement a transport that moves the dbm files over
the network using an encrypted channel. You could use a kerberized
rcp or ftp, or ssh, or afs. The only thing the slave cares about is
that the dbm dbm files get updated in their /var/yp/domain.name directory.
It doesn't care *how* they get there. This eliminates the relatively
small issue of cypher text strings flying around in the clear.
Security and NIS are not exclusive, especially if you understand how
NIS works. While there are problems with it, the two you mentioned are
old and solved.
chris
1. &&&&----Looking for a unix shell------&&&&&
I am looking for a unix shell to use to program c,html,perl,python,and a
little java
2. CDE Session and Informix r4gl
3. Reasonable nis security between Solaris & Linux (was Re: Is nis (yp) a security worry?
5. ppp && PPPoE && ADSL && net && buffer(s)
8. web site mirroring software
9. 没有人用中文吗?
10. chroot && mount -o bind && security
11. &&&&&& SUGGESTION ??? &&&&&&&&
13. PERL && mod_perl && FreeBSD && Apache