11/14 Ugg. It took me all of 20 seconds to figure out NIS on linux.
I can't even figure out how to lock a yppasswd on solaris. Help.
\_ Hint: Your issue is not with NIS
\_ Uhh, what is it with?
\_ Solaris' passwd mechanism doesn't provide a locking mechanism
(unless it's a recent addition i don't know about)
\_ from shadow(4):
The lock string is defined as *LK* in the
first four characters of the password field.
--Jon
\_ further note, you can use NP as the passwd string
which will allow uid to run cron jobs/etc --Jon
\_ Which you should not be using anyway...
\_ Well, I don't fault people using NIS in a secured corporate
environment.
\_ Hard on the outside, soft and chewy in the center.
\_ I've worked on a lot of networks and they have all
been like this (well, hardER on the outside anyway,
some were pretty soft all around).
\_ Probably, but with NIS you may as well not even
bother with security.
\_ NIS really isn't that bad in terms of
security if you have strong passwords
enforced. NFS, that's another thing. -tom
\- you need more than strong passwds. you need
tight securenets, you need to not let
people log into servers, you probably need
the servers hardcoded to the clients etc.
in many environments sniffed credientials
are now a bigger problems than cracked
passwds. once somebody gets unauthorized
access to an unpriv nis account, it is
highly likely they will be able to find
some local exploit. and without the other
issues raised above you are potentially vuln
if a machine not even in your domain but
just within your bcast domain is rooted.
that being said, i think nis has its place
but that is beyond the scope here.
\_ I didn't build the system, I was just hired to make
a few changes, not rebuild it. -top
\_ One good and fairly secure alternative to NIS, if you don't
want to go with with LDAP, is to setup cfengine to rebuild
/etc/{passwd,shadow} files on all machines. The downside of
doing this is that if someone roots a client box they can
still see your local /etc/shadow file. This sort of thing
could be prevented with LDAP. |