Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Aug 2001 21:07:54 -0500
From:      Christopher Schulte <christopher@schulte.org>
To:        freebsd-questions@FreeBSD.ORG
Subject:   NIS implementation question (system VS map passwords)
Message-ID:  <5.1.0.14.0.20010815204310.027a3bb8@pop.schulte.org>
next in thread | raw e-mail | index | archive | help 
Thanks in advance to all who read enough of this to understand what I'm doing!

I have 2 machines that use NIS. a) server b) client

Server does things like email[pop and smtp], dns, web, nfs export of 
/usr/home, etc.
Client is a public box which users can shell into and read email, upload 
files, etc.

I want an NIS setup which fulfills these two primary requirements

1) The server only exports user accounts (no admin accounts from server, 
ala root and such)
2) The client is able to update user passwords via yppasswd on client and 
rpc.yppasswdd on server.
         a) Both the nis maps AND system account passwords must be changed

One solution which does not fulfill both is:
1) run rpc.yppasswd on server with '-t /etc/master.passwd' so password 
updates will enter into server's account database
2) tell server to use /etc/master.passwd to build NIS maps for export.

The main drawback is that all accounts (including server's root) are 
available to the client via ypcat if the system was compromised.  Here, 
Users can change both NIS and system account passwords.  This is important, 
since services like pop3 on server need updated passwords.  And shell/ftp 
need the same on the client.

The obvious solution is to cp /etc/master.passwd to /var/yp and edit out 
the admin accounts before building NIS maps.  But then my users can only 
use yppasswd on client to update /var/yp/master.passwd (which grants access 
to shell) and not nis server's /etc/master.passwd (used to access pop3 on 
server).

So, to cut right to the chase:

Can I tell ypserv to serve only a subset of /etc/master.passwd, OR
         Tell rpc.yppasswdd to propogate changes to /var/yp/master.passwd 
to /etc/master.passwd and run pwd_mkdb ?

Or is there another way which I'm not considering?

Thanks!

--
Christopher Schulte
Finger for PGP key, or for UNIX impaired:
http://noc.schulte.org/cgi-bin/noc/finger.cgi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010815204310.027a3bb8>