Berkeley CSUA MOTD:Entry 40576
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2005/11/14-15 [Computer/SW/OS/Solaris] UID:40576 Activity:moderate
11/14   Ugg. It took me all of 20 seconds to figure out NIS on linux.
        I can't even figure out how to lock a yppasswd on solaris.  Help.
        \_ Hint: Your issue is not with NIS
           \_ Uhh, what is it with?
              \_ Solaris' passwd mechanism doesn't provide a locking mechanism
                 (unless it's a recent addition i don't know about)
                 \_ from shadow(4):
                    The lock string is defined as  *LK*  in  the
                    first four characters of the password field.
                    --Jon
                    \_ further note, you can use NP as the passwd string
                       which will allow uid to run cron jobs/etc --Jon
           \_ Which you should not be using anyway...
              \_ Well, I don't fault people using NIS in a secured corporate
                 environment.
                 \_ Hard on the outside, soft and chewy in the center.
                     \_ I've worked on a lot of networks and they have all
                        been like this (well, hardER on the outside anyway,
                        some were pretty soft all around).
                        \_ Probably, but with NIS you may as well not even
                           bother with security.
                           \_ NIS really isn't that bad in terms of
                              security if you have strong passwords
                              enforced.  NFS, that's another thing.  -tom
                              \- you need more than strong passwds. you need
                                 tight securenets, you need to not let
                                 people log into servers, you probably need
                                 the servers hardcoded to the clients etc.
                                 in many environments sniffed credientials
                                 are now a bigger problems than cracked
                                 passwds. once somebody gets unauthorized
                                 access to an unpriv nis account, it is
                                 highly likely they will be able to find
                                 some local exploit. and without the other
                                 issues raised above you are potentially vuln
                                 if a machine not even in your domain but
                                 just within your bcast domain is rooted.
                                 that being said, i think nis has its place
                                 but that is beyond the scope here.
              \_ I didn't build the system, I was just hired to make
                 a few changes, not rebuild it. -top
            \_ One good and fairly secure alternative to NIS, if you don't
               want to go with with LDAP, is to setup cfengine to rebuild
               /etc/{passwd,shadow} files on all machines. The downside of
               doing this is that if someone roots a client box they can
               still see your local /etc/shadow file. This sort of thing
               could be prevented with  LDAP.