OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: rootless NIS passwd maps
From: Clayton Mitchell (cmitchellATGI.NET)
Date: Thu Jul 13 2000 - 13:13:02 CDT

      How to make shadow password map secure on nis:
      ----------------------------------------------

     This assumes you maintain separate passwd/shadow files from /etc in
your /var/yp/`domainname` on your nis server, which I highly recommend.

      make a subdirectory of /var/yp/`domainname`

      name the directory 'security', so you have:

      /var/yp/`domainname`/security

      In that directory, put the shadow passwd file, but name it
'passwd.adjunct'

      This is more or less a bookkeeping file, the actual encrypted
passwords are not maintained here, but the user names must be in here.

      In the /var/yp/`domainname` directory, put the actual shadow file and
keep the name 'shadow' - this is the LIVE shadow file.

Then check the Makefile in /var/yp and notice that in the "make all" section
has no mention of passwd.adjunct. Add this map, rerun make.

Notes:

      Never RCS the shadow file in /var/yp!

      \BTo add a user with this method, you need to edit 3 files:

      add the user to /var/yp/`domainname`/passwd

      add the actual shadow entry in /var/yp/`domainname`/shadow

      add the shadow entry to /var/yp/`domainname`/security/passwd.adjunct

      The passwd and passwd.adjunct files should be under revision control.

-----Original Message-----
From: James Craig [mailto:jmcCS.RIT.EDU]
Sent: Thursday, July 13, 2000 10:31 AM
To: FOCUS-SUNSECURITYFOCUS.COM
Subject: Re: rootless NIS passwd maps

        On this same topic, I am trying to decypher how a passwd.adjunct
file would be set up as well, (should we want to retreat from NIS+[1])
and also use shadow files.

On the ypmaster, I would like to have
/etc/passwd
/etc/shadow (encrypted passwords for the entries in /etc/passwd)
/var/ypfiles/passwd.adjunct (or whatever)

The question is... what is the format of passwd.adjunct? Are the
encrypted passwords in that file? or are they in a separate file,
like a shadow.adjunct or something?

jim craig

[1] We were running a hacked up yp system up until the end of may,
     then cut over to NIS+. I have had nothing but problems with it
     since then, and although it could be a viable solution if some of
     my problems are fixed.. We are considering going back to yp until
     LDAP is usable for us.