OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Weigel (Matthew_Weigelmlist-0.sp.cs.cmu.edu)
Date: Sun Dec 02 2001 - 14:40:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > The O'Reilly book (2nd ed.) of NIS/NFS recommends creating new password
    > files (say, /etc/passwd.nis and /etc/master.passwd.nis), and editing the
    > NIS makefile (/var/yp/Makefile.yp) to refer to these new password files.
    > (p. 35 of the O'Reilly book).

    As others have said, that's true in spirit but maybe not perfect in
    description. You would probably want to edit the domain-specific
    Makefile, and keep the passwd files in /etc/yp.

    > Easily done, but how does that interact with the passwd command and
    > adduser?

    The passwd command on OpenBSD also affects the YP password, which
    doesn't go through the files directly; that should not be a problem.
    After adding a user you will have to rebuild the maps anyways, because
    the raw passwd/master.passwd files aren't used anyways. Either way, you
    will need to re-run make in the domain's directory when you add a new
    user (you may need to edit the Makefile to point to the correct passwd
    files, but that's a one-time problem).

    > If NIS is using a file which *isn't* /etc/master.passwd, if I add
    > a new user to the system, will I have to manually add the new entries to
    > /etc/passwd.nis and /etc/master.passwd.nis? Each time?

    Yes. But this is an easily automated process.

    > Or should I edit /usr/sbin/adduser to use the /etc/master.passwd.nis file
    > instead of /etc/master.passwd?

    I would say 'not' because that may make it difficult to add non-yp
    users. A simple
    "(umask -S u=rw,go=;grep [newuser] /etc/master.passwd > /etc/tmp.passwd;vi \
     /etc/tmp.passwd;cat /etc/tmp.passwd >> /etc/yp/master.passwd;rm
    /etc/tmp.passwd)"

    After you add newuser that you want to be in the yp database.

    OK, I made it a bit complicated by including various safety precautions,
    but the gist is a simple grep and append.

    > But what about the actual passwd command? If I make NIS to use these other
    > files, will passwd be smart enough (or will NIS be smart enough) to change
    > the /etc/master.passwd.nis file instead of /etc/master.passwd?

    NIS will be, yes, which is what you need.

    > Or is the OpenBSD implementation of NIS clever enough on it's own to not
    > spread around the root passwd, therefore making my worries moot?

    I believe OpenBSD simply believes that you are competent enough to have
    a reason to do so, if you do so :)

    > I do have IPSec running, but I'm running some services on my
    > (potential) NIS clients which might not be so secure, so I want to make as
    > sure as possible that the NIS password maps don't contain privilaged info.

    Well, they will contain password hashes, which is priviledged. Even if
    you use the secure flag and don't pass 'em out to anyone, they still
    pass over the network. 

    -- 
 Matthew Weigel
 Research Systems Programmer
 mcweigel+cs.cmu.edu