NIS Logging

Cameron Simpson cs at zip.com.au
Thu Nov 17 02:30:26 UTC 2005 

On 16Nov2005 17:44, Waldher, Travis R <Travis.R.Waldher at boeing.com> wrote:
| Is there a way to make a NIS master/slave log all authentication
| requests, who made the request, and where the request came from?
| 
| Such as... showing that Travis authenticated against redhatbox1, on
| January 15, 2006 8:00am.

Probably not in the form you want. See lower for a different way.

The probelm is that people do not authentication against NIS
servers. Instead, they authenticate against the OS' login facilities;
the OS consults NIS to obtain information but doesn't perform anything
looking like an authentication when talking to the NIS - the NIS is just
a set of network accessable tables.

So... I login as "cameron", supplying a password. The login program will
call getpwnam("cameron") to obtain the 'cameron" record from the OS;
the underlying library will fetch the "cameron" record from the NIS.

Now, that has my password hash in it and the login program verifies my
supplied password against that hash. But the NIS server doesn't know the
purpose of this record fetch.

A contrasting example: "ls -l" will list login names, obtained via
getpwuid(), which will pull records from the NIS based on user id number.
The same info is returned (login, crypt, uid, gid, gecos, homedir, shell,
etc) except that this time none of it is used for authentication.

You might profitably log fetch-by-login, but plenty of programs do a
getpwnam() for non-authentication purposes. Every shell does this when
you type:

	cd ~travis

to find out travis' home directory location, mail programs do it to fill in
fullnames when you compose email, etc.

So a fetch-by-login does not imply authentication.

You are probably better off looking at the login programs. Many log
to syslog; sshd certainly does, and I imagine the various getty/login
programs will in addition to the regular wtmp logging.

The syslog service can be configured to copy records to a central syslog
server, and you could then track this stuff at the central server.
But you'll have to get the logging happening first, and the NIS servers
are not what you want to instrument - instrument the login programs.

Cheers,
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

I do find these commercials entertaining, but then again, I own a Slinky.
        - ART100 at psuvm.psu.edu (Andy Tefft)

More information about the Redhat-install-list mailing list