Re: Use shadow like password with NIS on Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Pedro,

 

Your suggestion is definitely correct.  NIS is not that secure.  We may implement LDAP in the future when the number of machines gets bigger.

 

I searched Google again and found some information about shadow password with NIS.  The idea is to mangle the shadow password and make them not to be displayed when ‘ypcat passwd’ is issued.  With Fedora, and I believe with other Linux as well, you can modify /var/yp/Makefile to create shadow.byname NIS database.  With Fedora, it is quite easy to do this by just setting “MERGE_PASSWD=false” so that the shadow encrypted code will not be merged with the password file in ypcat information.  If we modify /etc/nsswitch.conf and /etc/ypserv.conf to enable the mangle shadow password, ypcat command will no longer display the encrypted password.

 

Your suggestion about LDAP usage is absolutely another option in long run.

 

Thank you so much for sharing your idea.

 

Qi

 

 

> From: Pedro Fernandes Macedo webmaster@xxxxxxxxxxxxxxxxxxx

 

> Pedro Fernandes Wrote:

>>>>

From my experience with NIS authentication , what you want is

impossible. In the university where I work , we're slowly preparing the

machines to use ldap authentication , as a security measure. We've had

enough problems with NIS , as any user can ypcat passwd and get all

passwords and maybe try to crack them. For this reason , we have a

strict policy regarding passwords and we try to crack weak passwords weekly. If you want security (at the expense of taking longer to configure the

server) , I suggest you to use ldap. Fedora has a excelent support to

ldap auth configuration (using redhat-config-authentication).

 

<<<<

 

> From: "Qi Chen" <qi.chen@xxxxxxxxxxxx>

> To: <fedora-list@xxxxxxxxxx>

> Subject: Use shadow like password with NIS on Fedora

> Date: Fri, 26 Dec 2003 17:16:19 -0800

> Reply-To: fedora-list@xxxxxxxxxx

>

>

> I have just installed Fedora.  I have configured NIS server/client ok.

> However, when I type command 'ypcat passwd', I can see the encrypted

> password in the output, which is no good and is not what I want.  I

> would like to have no encrypted password showing up when I type

> command 'ypcat passwd'.

>

> Then I changed the /etc/nsswitch.conf file with

>

> passwd: compat

> shadow: compat

>

> and modified /etc/ypserv.conf file as following:

>

> # The following, when uncommented,  will give you shadow like

> passwords. # Note that it will not work if you have slave NIS servers

> in your # network that do not run the same server as you.

>

> # Host                     : Domain  : Map              : Security

> #

> *                        : *       : passwd.byname    : port

> *                        : *       : passwd.byuid     : port

>

> I restarted ypserv and ypbind.  However, the ypcat command still shows

> the shadow password.  I am using ypserv-2.8.3 and glibc-2.3.2-101.

>

> Do I miss anything?  Please help if you know the answer.

>

> -Qi

 

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux