230 lines
4.3 KiB
HTML
230 lines
4.3 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Using NIS with Shadow Support</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="The Network Information System"
|
|
HREF="x-087-2-nis.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Using the passwd and group Maps"
|
|
HREF="x-087-2-nis.passwd.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="The NetworkFile System"
|
|
HREF="x-087-2-nfs.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-nis.passwd.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 13. The Network Information System</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-nfs.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-NIS.SHADOW"
|
|
>13.9. Using NIS with Shadow Support</A
|
|
></H1
|
|
><P
|
|
>
|
|
Using NIS in conjunction with shadow password files is somewhat problematic.
|
|
First we have some bad news: using NIS defeats the goals of shadow passwords.
|
|
The <TT
|
|
CLASS="FILENAME"
|
|
>shadow</TT
|
|
> password scheme was designed to prevent
|
|
nonroot users from having access to the encrypted form of the login
|
|
passwords. Using NIS to share <TT
|
|
CLASS="FILENAME"
|
|
>shadow</TT
|
|
> data by necessity
|
|
makes the encrypted passwords available to any user who can listen to the NIS
|
|
server replies on the network. A policy to enforce users to choose
|
|
“good” passwords is arguably better than trying to shadow
|
|
passwords in an NIS environment. Let's take a quick look at how you do it,
|
|
should you decide to forge on ahead.</P
|
|
><P
|
|
>In libc5 there is no real solution to sharing <TT
|
|
CLASS="FILENAME"
|
|
>shadow</TT
|
|
> data
|
|
using NIS. The only way to distribute password and user information by NIS is
|
|
through the standard <TT
|
|
CLASS="FILENAME"
|
|
>passwd.*</TT
|
|
> maps. If you do have
|
|
shadow passwords installed, the easiest way to share them is to generate a
|
|
proper <TT
|
|
CLASS="FILENAME"
|
|
>passwd</TT
|
|
> file from <TT
|
|
CLASS="FILENAME"
|
|
>/etc/shadow</TT
|
|
>
|
|
using tools like <B
|
|
CLASS="COMMAND"
|
|
>pwuncov</B
|
|
>, and create the NIS maps from
|
|
that file.</P
|
|
><P
|
|
>Of course, there are some hacks necessary to use NIS and shadow passwords at
|
|
the same time, for instance, by installing an <TT
|
|
CLASS="FILENAME"
|
|
>/etc/shadow</TT
|
|
>
|
|
file on each host in the network, while distributing user information, through
|
|
NIS. However, this hack is really crude and defies the goal of NIS,
|
|
which is to ease system administration.</P
|
|
><P
|
|
>
|
|
The NIS support in the GNU libc library (libc6) provides support for shadow
|
|
password databases. It does not provide any real solution to making your
|
|
passwords accessible, but it does simplify password management in
|
|
environments in which you do want to use NIS with shadow passwords.
|
|
To use it, you must create a <TT
|
|
CLASS="FILENAME"
|
|
>shadow.byname</TT
|
|
> database
|
|
and add the following line to your <TT
|
|
CLASS="FILENAME"
|
|
>/etc/nsswitch.conf</TT
|
|
> :
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
># Shadow password support</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>shadow: compat</B
|
|
></TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>If you use shadow passwords along with NIS, you must try to maintain some
|
|
security by restricting access to your NIS database. See <A
|
|
HREF="x-087-2-nis.securenets.html"
|
|
>Section 13.5</A
|
|
>” earlier in this chapter.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-nis.passwd.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-nfs.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Using the passwd and group Maps</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-nis.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>The NetworkFile System</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |