Date: Sat, 03 Mar 2001 19:47:00 -0600 From: Philip Kizer <pckizer@nostrum.com> To: Roman Shterenzon <roman@harmonic.co.il> Cc: "Brandon D. Valentine" <bandix@looksharp.net>, freebsd-questions@FreeBSD.ORG Subject: Re: NIS/YP problems on FBSD 4.2-STABLE Message-ID: <200103040147.f241l1v45352@magus.nostrum.com> In-Reply-To: Your message of "Wed, 28 Feb 2001 16:00:20 %2B0200." <983368820.3a9d047476306@webmail.harmonic.co.il>
next in thread | previous in thread | raw e-mail | index | archive | help
Roman Shterenzon <roman@harmonic.co.il> wrote:
>I think trhat what's missing in FreeBSD NIS implementation is the ability to
>change password field to "x" for requests from high ports (the present
>implementation just denies access).
>I was looking into bringing this to FreeBSD (from linux), but unfortunately
>didn't quite have time to get to it.
I'm not sure exactly what you mean by "the present implementation just
denies access". It's not the ypserv that 'change[s] password field to "x"',
it's the map creation process.
The FreeBSD stable ypserv Makefile will by default take the
/var/yp/master.passwd, store it "securely" in master.passwd.by{name,uid},
and stip out the "extra" fields to make a passwd.by{name,uid} that contains
"*" in the passwd field. The master.passwd.* maps are retreivable only
from privileged ports due to the YP_SECURE field.
See:
<http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ypserv/Makefile.yp?rev=1.31>;
(or /var/yp/Makefile*)
for deatils on the map creation process.
If you want to use the same NIS server for serving passwords "securely" to
Linux and Solaris boxes, this patch (minus some fuzz) should do the trick
for you (note the ${S} in the mkdb command for marking the map as "secure"):
--- Makefile.yp Sat Mar 3 19:42:10 2001
+++ Makefile Sat Mar 3 19:42:29 2001
@@ -125,0 +126,2 @@
+TARGETS+= passwd.adjunct.byname
+TARGETS+= shadow.byname
@@ -587,0 +590,28 @@
+
+passwd.adjunct.byname: $(MASTER)
+ @echo "Updating $@..."
+.if ${MASTER} == "/dev/null"
+ @echo "Master.passwd source file not found -- skipping"
+.else
+ $(CAT) $(MASTER) | \
+ $(AWK) -F: 'BEGIN{OFS=":"}{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 !~ /^+/ && $$1 !~ /^-/) print $$1"\t"$$1,$$2,$$3,$$4,$$8,$$9,$$10 }' $^ \
+ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
+ $(RMV) $(TMP) $@
+ @$(DBLOAD) -c
+ @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
+ @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
+.endif
+
+shadow.byname: $(MASTER)
+ @echo "Updating $@..."
+.if ${MASTER} == "/dev/null"
+ @echo "Master.passwd source file not found -- skipping"
+.else
+ $(CAT) $(MASTER) | \
+ $(AWK) -F: 'BEGIN{OFS=":"}{ if ($$1 != "" && $$1 !~ "^#.*" && $$1 !~ "^+" && $$1 !~ /^-/) print $$1"\t"$$1,$$2,$$6,":::",$$7,"" }' $^ \
+ | $(DBLOAD) ${S} -f -i $(MASTER) -o $(YPMAPDIR)/$@ - $(TMP); \
+ $(RMV) $(TMP) $@
+ @$(DBLOAD) -c
+ @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOMAIN) $@; fi
+ @if [ ! $(NOPUSH) ]; then echo "Pushed $@ map." ; fi
+.endif
Please let me know if I misunderstood you,
-philip
--
Philip Kizer,
USENIX Liaison to Texas A&M University <usenix@tamu.edu>
Texas A&M CIS Operating Systems Group, Unix <pckizer@tamu.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103040147.f241l1v45352>