[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NIS, shadow, and pam?



Jim Hebert writes:
 > I always hear varying things on this, so I'm going to stick my neck out
 > and someone either confirms or denies this. =)
 > 
 > I've heard, on one hand, that "shadow" for YP is really not shadow in the
 > traditional sense, and that instead it's a trick in the library where it
 > check's who is asking for the password map from yp and if it's not root,
 > it sends it the user:*:.... looking map, while if it is root it will give
 > you the normal looking map with the passwords.
 > 
 > Then on the other hand I've actually seen threads where people were
 > running with /etc/shadow containing the passwords, and they were trying to
 > get that working.
 > 
 > So, I dunno. How's that saying go? The best way to get information is to
 > post misinformation?

To NIS and shadow, I could tell you a lot. But I don't know, how it
works with PAM.

At first, shadow over NIS isn't much safer then normal passwd over
NIS. But you could configure my Linux ypserv in a way, that some
fields are mangled with a *, if the request doesn't come from a
reserved port. If a DOS or Windows client has access to this server,
you have losed.
With this, you could send an entry like user:*:... from passwd to the
client, if the request comes from a normal user. root will get the
correct entry (port greater or less then 1024).

The next is, to create a map shadow.byname. But this only works with
glibc as client, not with libc5. I don't know about PAM. But with
glibc and PAM it works, if you uses the pam_unix_auth_* modules, and
not pam_pwdb.
With shadow.byname, you could also mangle the password field, so that
only root could read that entry. shadow and NIS are only usefull, if
you need the login expire and other shadow features. 
I put only the password from the local accounts into /etc/shadow. The
passwords form normal user are stored in passwd, and they don't have
shadow entries. This works with every System we have.

I hope this answers your questions.

  Thorsten

-- 
Thorsten Kukuk  kukuk@vt.uni-paderborn.de
                http://www-vt.uni-paderborn.de/~kukuk
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []