SUMMARY: NIS and Shadow Passwd

From: Jaap Romers (jaap@cs.ruu.nl)
Date: Mon Jun 22 1992 - 07:30:21 CDT


Hi System Managers,

Last week I asked the following to the net:

>We have a heterogenous network with HP's, Sun's and SGI's and in the
>future probably some NeXT workstations. Currently we are not running
>NIS, but we want to give it a try, if we can use it with shadow-
>passwd files. On the Sun's, it shouldn't be a problem (c2conv etc.),
>but what about the HP's, SGI's and NeXT ?
>
>Can they run with shadow-passwd if the NIS master server is a Sun
>and the slave servers having a different architecture.
>Or, is it possible to create a HP as a NIS master server an the
>other arch's as slave servers.

I did get several answers and my conclusion is: it's not possible.

Here ar some answers:

>Sun's shadow-passwd NIS map mechanism uses a proprietary extension
>to the NIS protocol. Thus, you will not be able to use NIS to distribute
>password information to any non-Sun hosts unless the vendor has
>reverse-engineered the shadow-passwd mechanism. We have not done this
>at SGI as we will be supporting SVR4 shadow-passwords in an upcoming
>release.

>HP's shadow password scheme does not cooperate with NIS.
>and, since there is no standard method of supporting shadow
>passwords within NIS, solutions each vendor take are likely
>to be divergent.

>If all you want to do is keep ypcat from being used to grab the encrypted
>passwords, then just `chown root ypcat; chmod og-x ypcat`. That would
>be a minor inconvenience for a serious bad guy.

Credits:

casey@anchovy.wpd.sgi.com (Casey Schaufler)
Chris Steinbroner <hesh@hposl42.cup.hp.com>
vulture@carrion.cc.ic.ac.uk (Thomas Sippel - Dau)

                                             --Jaap--

J.M. Romers HP/Sun System Manager
Utrecht University Department of Computer Science
P.O. Box 80.089 Email: jaap@cs.ruu.nl
3508 TB Utrecht Telephone: +31 30 532248
The Netherlands Telefax: +31 30 513791



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:44 CDT