Use shadow like password with NIS on Fedora

Qi Chen qi.chen at jpl.nasa.gov
Sun Dec 28 07:39:43 UTC 2003 

Pedro,
 
Your suggestion is definitely correct.  NIS is not that secure.  We may
implement LDAP in the future when the number of machines gets bigger.
 
I searched Google again and found some information about shadow password
with NIS.  The idea is to mangle the shadow password and make them not
to be displayed when 'ypcat passwd' is issued.  With Fedora, and I
believe with other Linux as well, you can modify /var/yp/Makefile to
create shadow.byname NIS database.  With Fedora, it is quite easy to do
this by just setting "MERGE_PASSWD=false" so that the shadow encrypted
code will not be merged with the password file in ypcat information.  If
we modify /etc/nsswitch.conf and /etc/ypserv.conf to enable the mangle
shadow password, ypcat command will no longer display the encrypted
password.
 
Your suggestion about LDAP usage is absolutely another option in long
run.
 
Thank you so much for sharing your idea.
 
Qi
 
 
> From: Pedro Fernandes Macedo webmaster at margo.bijoux.nom.br
 
> Pedro Fernandes Wrote:
>>>>
>From my experience with NIS authentication , what you want is 
impossible. In the university where I work , we're slowly preparing the 
machines to use ldap authentication , as a security measure. We've had 
enough problems with NIS , as any user can ypcat passwd and get all 
passwords and maybe try to crack them. For this reason , we have a 
strict policy regarding passwords and we try to crack weak passwords
weekly. If you want security (at the expense of taking longer to
configure the 
server) , I suggest you to use ldap. Fedora has a excelent support to 
ldap auth configuration (using redhat-config-authentication).
 
<<<<
 
> From: "Qi Chen" <qi.chen at jpl.nasa.gov>
> To: <fedora-list at redhat.com>
> Subject: Use shadow like password with NIS on Fedora
> Date: Fri, 26 Dec 2003 17:16:19 -0800
> Reply-To: fedora-list at redhat.com
>
>
> I have just installed Fedora.  I have configured NIS server/client ok.

> However, when I type command 'ypcat passwd', I can see the encrypted 
> password in the output, which is no good and is not what I want.  I 
> would like to have no encrypted password showing up when I type 
> command 'ypcat passwd'.
>
> Then I changed the /etc/nsswitch.conf file with
>
> passwd: compat
> shadow: compat
>
> and modified /etc/ypserv.conf file as following:
>
> # The following, when uncommented,  will give you shadow like 
> passwords. # Note that it will not work if you have slave NIS servers 
> in your # network that do not run the same server as you.
>
> # Host                     : Domain  : Map              : Security
> #
> *                        : *       : passwd.byname    : port
> *                        : *       : passwd.byuid     : port
>
> I restarted ypserv and ypbind.  However, the ypcat command still shows

> the shadow password.  I am using ypserv-2.8.3 and glibc-2.3.2-101.
>
> Do I miss anything?  Please help if you know the answer.
>
> -Qi
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20031227/a6aeb87e/attachment-0001.htm>

More information about the fedora-list mailing list