NIS/NIS+ password security without user keypairs -- how ???

NIS/NIS+ password security without user keypairs -- how ???

Post by Dean Broo » Sun, 09 Jul 1995 04:00:00

   We have several hundred users who will be accessing 4 systems
on our network (all Solaris 2.4 systems.  

   Is it possible to use NIS/NIS+ to share the password/shadow files
(which are the only files we are concerned about sharing) without
having to have public/private keypairs for *every* user, while
still maintaining strong security over the shadow password file?

   That is, is it possible to set up NIS or NIS+ so that the *system*
credential (i.e. root credentials) are good enough to qualify a user
as being authenticated to update their own password?

   It seems that it would be possible to ensure authentication of
a particular user simply based upon the system they are coming
from, rather than each person having to manage their own
private credentials.

   I am just trying to avoid the hassle of educating our
users about this keypair stuff while still maintaining NIS+

   Any suggestions would be appreciated...


1. NIS+ user management [Was: Re: root changing a user's password (NIS)]

And Solaris 2 removed `passwd -f <filename>'; the "-f" option now
means "force password change at next login".

                                  .  What other ways are there that are safer?

Good question.  I haven't used Solaris 2 at a large site long enough
for it to be much of an issue.  When necessary, I've just done as you
and edited the file by hand (using Emacs, which when saving at least
gives warning if the file's been changed).  Several years ago at Sun,
I recall there being a `viyp' utility for editing NIS files.  Maybe
they made it publically available.  I think it's harder to enforce
such a utility's use than it is to write one. ;-)

On a related note -- what is the recommended/approved/best way to add
new users and remove ex-users to/from NIS+ ??  One would hope `useradd'
could do it -- nope.  The NIS+ utilities `nis{addent,populate}' are
tailored towards adding to NIS+ tables from ASCII files or NIS maps
rather than dealing with a single "user" entry.  And using plain
`nistbladm' and `nisaddcred' options is crude and error-prone.

I've searched to no avail for some "cookbook" method of handling NIS+
user management.  My old NIS+ book was useless for that issue.  Maybe
I just have a blind spot.  Any suggestions would be appreciated...


Scott J. Kramer                         Graham Technology Solutions
Sr. UNIX Systems Administrator          20823 Stevens Creek Blvd., Suite 300                 +1.408.366.8001

2. Free Programmer Available

3. password sync without NIS/NIS+????

4. XFree86 driver needed for AGP S3 Virge GX board

5. NIS: How to add a new user, without restarting NIS?

6. please help identifying device

7. NIS+, User Ghosts, NIS Passwords

8. Reasonable nis security between Solaris & Linux (was Re: Is nis (yp) a security worry?

9. A local root user can su to any NIS account without a password

10. Secure NFS under Solaris 2.5/2.5.1 without NIS/NIS+ ?

11. Howto setup secure rpc without using nis/nis+

12. jumpstart without NIS/NIS+