[Message reformatted to 70 columns. Please skip the previous one.] Hello,
I have come over the same issue. 1) The prompt "NIS server root password:" is irritating. It is not the root pw but the users pw what is needed. But there may be servers which need the root pw also (if compiled with CHECKROOT=1). See rpc.yppasswd(8). 2) The reason why the old pw is needed comes from rpc.yppasswd. It wants the old pw along with the new one. Interestingly the old pw is sent unencrypted (!), the new one encrypted. This is not only a security risk if updating to the new pw fails. It also means prompting for the old pw is unavoidable. No one can retrieve the unencrypted pw from an encrypted value. And if I understand things correctly, the encryption methods on server and client _must_ be the same (what is recommended anyway). 3) Creating and deleting users and such basic things are only meaningful on the NIS-server, aren't they? But on the server adduser etc. work as usual, as long you do not set the nis-option for pam_unix. This should be done only on clients. Of course you need some mechanism to update the NIS database (invoke make -C /var/yp). 4) What is really annoying: The prompt for the old pw comes up for _local_ users also. I have a mail server with a local user cyrus (not in NIS). Obviously pam_unix can handle that, but it wants the old pw. 5) The only solution I can imagine is to change the rpc.ypasswd behaviour. But I'm in doubt whether this old mechanism will be changed anymore. May be the -x option from rpc.yppasswd can be used to setup a private mechanism. Markus -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
