OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: rootless NIS passwd maps
From: Lisa Weihl (lweihlCS.BGSU.EDU)
Date: Tue Jul 18 2000 - 22:27:16 CDT

Forgive my ignorance here and flame me if you like but I'm still learning a
lot of Unix stuff (spend too much time on PCs and Macs) and I want to make
sure I'm clear on this procedure below. I'm assuming implementing the
procedure below sanitizes the encrpyted passwords out of a "ypcat passwd"
command while still allowing logins via NIS. Correct?

I implemented this one time a couple of years ago and must have done
something wrong because it sanitized the ypcat passwd command but also
locked out my users from logging in from that point on. At that time
someone on another admin list tried to tell me that there was no work
around for the encrpyted passwords showing up in a ypcat passwd command. So
I just moved on and dealt with it as an NIS limitation.

Am I clear in that it doesn't really matter what I put in the copy of the
shadow file that's going in passwd.adjunct as long as the usernames are
there. Meaning, can I just copy over the shadow file verbatim and not touch
it or I could remove the encrypted passwords and it wouldn't matter either
way because the actual passwords are maintained somewhere else.

I just implemented this and it works so I'm impressed as I've wanted to do
this for some time. I just want to make sure I'm clear on the procedure
and haven't opened up a hole I'm not aware of. Now I just have to remember
to add a line to the passwd.adjunct file every time I add a user:-)

At 11:13 AM 7/13/00 -0700, you wrote:
> How to make shadow password map secure on nis:
> ----------------------------------------------
>
> This assumes you maintain separate passwd/shadow files from /etc in
>your /var/yp/`domainname` on your nis server, which I highly recommend.
>
> make a subdirectory of /var/yp/`domainname`
>
> name the directory 'security', so you have:
>
> /var/yp/`domainname`/security
>
> In that directory, put the shadow passwd file, but name it
>'passwd.adjunct'
>
> This is more or less a bookkeeping file, the actual encrypted
>passwords are not maintained here, but the user names must be in here.
>
> In the /var/yp/`domainname` directory, put the actual shadow file and
>keep the name 'shadow' - this is the LIVE shadow file.
>
>
>Then check the Makefile in /var/yp and notice that in the "make all" section
>has no mention of passwd.adjunct. Add this map, rerun make.
>
>Notes:
>
> Never RCS the shadow file in /var/yp!
>
>
> \BTo add a user with this method, you need to edit 3 files:
>
> add the user to /var/yp/`domainname`/passwd
>
> add the actual shadow entry in /var/yp/`domainname`/shadow
>
> add the shadow entry to /var/yp/`domainname`/security/passwd.adjunct
>
>
> The passwd and passwd.adjunct files should be under revision control.

**********************************************************************************
Lisa Weihl, System Administrator E-mail: lweihlcs.bgsu.edu
Department of Computer Science Office: Hayes 225
Bowling Green State University Phone: (419) 372-0116
Bowling Green, Ohio 43403-0214 Fax: (419) 372-8061