I received many replies to my request for help on
the YP master /etc/passwd dilemma. Thanks to all who
repsonded (there were some 40 or so of you).
Here is part of the original posting...
> I wish to restrict login access to my YP master, who
> is also the main file server.
>
> The 4.0 docs suggest that to do this one should first
> create the password map from /etc/passwd with all
> entries in it, then remove the entries of users who
> are to be denied access to the server from /etc/passwd.
Most people replied that they are using a separate password
file for YP to use with a truncated /etc/passwd on the
master server that includes YP calls.
Caveats to doing so include...
/usr/etc/rpc.yppasswdd must be pointed to the new YP password file.
/etc/yp/Makefile must be made aware of the new path to the password
file, can be done with command line option "DIR=/new/path".
Users not allowed to log into the master server may not receive
mail on that machine, since their username is unknown.
Interactive users of the master server must use "yppasswd" instead
of "passwd".
There was a reply by Seth Robertson <seth@sirius.ctr.columbia.edu>
with an exceptionally elegant way around the above stated caveats.
Note that Seth's solution does NOT rely on a separate YP password file.
Please comment if you see a problem with doing this, and my apologies
to Seth for not telling him that I would publish his note...
> ---From /etc/passwd---
> root:*I:0:1:The Root of All Evil:/:/bin/csh
> nobody:*:-2:-2::/:
> daemon:*:1:1:Nick Satan:/:/bin/sh
> sync::1:1::/:/bin/sync
> [ whole bunch of adminstrivia accounts deleted ]
> +@special-staff::0:0:::
> +@users:*:-2:-2:Nobody is allowed to log on to this machine::/usr/local/etc/aut [ All accounts appear here ]
> -----------------------------------
> ---From /etc/netgroup---
> special-staff (-,special,) (-,people,) (-,like,) (-,me,)
> users (-,,)
> -----------------------------------
>
> The ordering in the password file determines that all people in the
> netgroup special-staff are allowed to log in, and noone else is.
--Tim Perala (tperala@ub.d.umn.edu) Systems Programmer Information Services University of Minnesota, Duluth (218) 726-6122
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:03:55 CDT