You have uncovered one of the security problems with nis. Because nis
is supposed to be useable across all Unix platforms and because all
Unix systems have different shadow password facilities there is no
practical way for nis and shadow passwords to work together. For
starters the 'x' in place of the password is not standard. In AIX,
among others, the '!' is used as the place holder for a password.
Beyond that the location and format of the shadowed password file is
different on different Unix systems.
nis authentication works by essentially appending the nis password map
onto the end of the normal password file. The nis map must be in a
format that the nis client can understand. So nis uses the standard
password file format that all Unix systems use.
If you read the make file you will notice that the script copies the
encrypted password from your shadowed password file into the nis
password file. This one reason (there are others) that nis and nfs are
considered to be insecure. Depending on your security and network
requirements you may want to consider alternatives to nis.
Olivier Eymere
Distributed Systems Analyst
--- Hugo <[EMAIL PROTECTED]> wrote:
> Hi All
>
> I am having some problems getting shadow passwords
> to work. I upgraded
> the server to RedHat 6.0 and re-installed NIS
> including, during the
> installation, enabling shadow passwords. However,
> they don't seem to
> work as the full encrypted password rather than an
> "x" appears when
> doing a ypcat for a user.
>
> I think it has something to do with the fact that in
> the
> /var/yp/Makefile, I had to set the options below to
> "false" because when
> they were set to "true", NIS didn't want to make the
> byname files. I had
> to get NIS up and running so I turned the following
> to "false":
>
> # Should we merge the passwd file with the shadow
> file ?
> # MERGE_PASSWD=true|false
> MERGE_PASSWD=false
>
> # Should we merge the group file with the gshadow
> file ?
> # MERGE_GROUP=true|false
> MERGE_GROUP=false
>
> When it was set to true, the error message said
> something along the
> lines of "no rule to merge password" and " no rule
> to merge group".
>
> Does anyone know how to enable shadow passwords -
> most importantly so
> that the "x" rather than the full encrypted password
> appears when doing
> a ypcat?
>
> Thanks
>
> Hugo
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com
