| Before we go ahead and build the servers, now is a good time to make sure all the entries in the input files are correct and tidy them up if we need to. In particular, this means that we need to be careful about the password information. It's always recommended not to include root in the NIS passwd file for security reason, thus forcing each system to use the root passwd entry from their own /etc files. There are also a number of caveats we need to be aware of when implementing NIS; the main ones we'll look at are listed here: Password aging is not available; it is only supported in "local files," NIS+, and LDAP. The shadow passwd is not directly converted to a map. The passwords are pulled out and incorporated into the passwd map, which means that encrypted passwords can be seen by anyone using ypcat.
We'll look at password security in two parts, generating a "first level" of security that is easy to implement before creating a "second level" that will work around some of the security issues. For the first level we will carry out the following tasks: Each system's /etc/passwd and /etc/shadow will be left as standard, and so will only contain the "system" users, such as root, uucp, and so forth. Any additional users will be added on the master server and stored in a special password file.
The special password file that we'll use will be stored in the NIS data directory, /var/yp, which means that the files /var/yp/passwd and /var/yp/shadow will become the master password files used to generate the NIS passwd map. Update the User Creation Script Earlier, in Chapter 3, "User Administration," we created a script named createUser that we'll run whenever new users are added to the system. This now needs to be modified to make sure that users are instead added to our special password file and that the NIS passwd map is rebuilt every time a user is added. The changes we'll make to the script are shown in bold below: tin# cat /usr/local/utils/bin/createUsers #!/bin/ksh # # A script to create users in a "company format." # This uses a default, encrypted password that has been # obtained by pulling a known password from the shadow # file. Users are forced to alter it as first login. # It assumes the group already exists and is valid. # # # set our company defaults # home=/export/home shell=/bin/ksh skel=/etc/skel password=hViVZtexneY8Y # default encrypted password (changeme) warnDays=5 validDays=60 ypPasswdFile=/var/yp/passwd ypShadowFile=/var/yp/shadow tmpShadow=/tmp/shadow.$$ tmpPasswd=/tmp/passwd.$$ <lines removed for clarity> # # set the password timeouts # passwd -f -w ${warnDays} -x ${validDays} ${user} # # Now move the acount into the yp location # tail -1 /etc/passwd >> ${ypPasswdFile} tail -1 /etc/shadow >> ${ypShadowFile} # # Strip them from the "main" password/shadow files # sed -e "/^${user}:/d" /etc/passwd > ${tmpPasswd} if [ -s ${tmpPasswd} ]; then mv ${tmpPasswd} /etc/passwd if [ $? -ne 0 ]; then echo "Error: Cannot copy new password file" exit 1 fi fi sed -e "/^${user}:/d" /etc/passwd > ${tmpShadow} if [ -s ${tmpShadow} ]; then mv ${tmpShadow} /etc/shadow if [ $? -ne 0 ]; then echo "Error: Cannot copy new shadow file" exit 1 fi fi # # Update the account with any "standard" settings # cd /var/yp make passwd edquota -p ${quotaAccount} ${user} exit 0 tin# So, what have we changed and why? We've altered the two variables, PASSWD_FILE and SHADOW_FILE, to point to our new location in /var/yp. The egrep statements have been altered to make sure we check the information in /etc as well as the ones in /var/yp when looking for existing users. Lastly, we make sure that the NIS maps are rebuilt and propagated. (We have to do this before checking the quotas, otherwise we would see nonexistent user errors, which is also why we use the UID rather than the user's name with the chown command.) Update the Makefile Whenever the NIS maps are built, /etc is used as the location for any source files by default and is specified in the makefile. We need to alter this so that it now uses the two new files we have just created: /var/yp/passwd and /var/yp/shadow. Fortunately, this is a common task, so a variable named PWDIR has been defined within it to indicate the password location. The default entry is shown below: tin# grep "^PWDIR" Makefile PWDIR =/etc tin# Let's alter this to the location of our new files, which in our case is /var/yp; we'll use sed to quickly perform the substitution: tin# cd /var/yp tin# cp Makefile Makefile.orig tin# sed -e 's/^PWDIR.*$/PWDIR = \/var\/yp/' < Makefile.orig > Makefile tin# grep "^PWDIR" Makefile PWDIR =/var/yp tin# User Password Changes The next thing we have to do is make sure that when users want to change their passwords, they can do so easily. We've already said that rpc.yppasswdd runs on the master server and it allows remote password changes to take place, but we need to check that everything is in place to do so. A number of options can be passed to rpc.yppasswdd, including the location of the password file and the option to automatically rebuild the maps. NIS actually tries to detect the correct options at startup by performing a few checks. Interestingly, one of them is to check the PWDIR variable in the makefile, as we can see below in the code snippet from ypstart: tin# cat /usr/lib/netsvc/yp/ypstart <lines removed for clarity> # # The rpc.yppasswdd daemon can be started with a "-D" option # to point it at the passwd/shadow/passwd.adjunct file(s). # The /var/yp/Makefile uses a PWDIR macro assignment to # define this directory. In the rpc.yppasswdd invocation, # we attempt to grab this info and startup accordingly. # <lines removed for clarity> if [ -x $YPDIR/rpc.yppasswdd ]; then PWDIR=`grep "^PWDIR" /var/yp/Makefile 2> /dev/null` \ && PWDIR=`expr "$PWDIR" : '.*=[ ]*\([^ ]*\)'` if [ "$PWDIR" ]; then if [ "$PWDIR" = "/etc" ]; then unset PWDIR else PWDIR="-D $PWDIR" fi fi $YPDIR/rpc.yppasswdd $PWDIR -m \ && echo ' rpc.yppasswdd\c' fi <lines removed for clarity> tin# This means that as long as we have updated the NIS makefile correctly, our new maps will also work with rpc.yppasswdd. The other half of the NIS password daemon is the passwd command. Until recently a few other commands were provided for when some other naming services were in use, such as yppasswd and nispasswd. This has now altered and passwd can be used to change the password for all (or, in our case, both) naming services. For example, to change the password of a "normal" user whose entry is in the NIS passwd map, we would see something similar to that shown below: fluorine# passwd msmith New password: <enter the new password> Re-enter new password: <enter the new password> NIS passwd/attributes changed on tin flourine# For someone who is in the default password file, say root, we would see something similar to the following: fluorine# passwd root New password: <enter the new password> Re-enter new password: <enter the new password> Passwd (SYSTEM): passwd successfully changed for root flourine# It's also useful to note that we can explicitly specify which name service to use. For example, to change the NIS password we could use the following. fluorine# passwd -r nis msmith New password: <enter the new password> Re-enter new password: <enter the new password> NIS passwd/attributes changed on tin flourine# Passwd.adjunct File We have now managed to split normal users from system users and put them into two separate password files, but unfortunately we now have the problem of users being able to see the encrypted passwords. For example, if we compare the password information for one of our users against the passwd map, everything will become clear: tin# grep msmith /var/yp/passwd msmith:x:1001:10:Mike Smith:/export/home/msmith:/bin/ksh tin# tin# grep msmith /var/yp/shadow msmith:EwkdU786nskOz:11556:0:60:5::: tin# tin# su - msmith tin$ ypmatch msmith passwd msmith:EwkdU786nskOz:1001:10:Mike Smith:/export/home/msmith:/bin/ksh tin# Just as expected, ypcat allows a normal user to view the encrypted password for anyone. We can also see that there isn't any aging information included anywhere. Solaris supports a file named passwd.adjunct to be used within NIS. The makefile uses this file to build a map named passwd.adjunct.byname, which is used to define security data to the system. One of its other functions is to hide encrypted passwords, which is why we are interested in using it. The file format, very similar to /etc/shadow, is shown below: Name Password Minimum security level for the user Maximum security level for the user Default security level for the user Flag defining the events that will always be audited Flag defining the events that will never be audited
When this file is available, NIS replaces the password entry in the NIS map with the string "##<user name>." For example, for our msmith user, we would see "##msmith" in the password field. Many sites simply create the passwd.adjunct file using the contents of the shadow file. This works OK because the only field we are concerned with is the first onethe user name. The only problem is that when users change their passwords the shadow file is updated, leaving a copy of the original password in the passwd.adjunct file. This can become very confusing, so for that reason we'll create ours with only the first field and ignore the rest of the entries. This will give us a file that contains something similar to that shown below for msmith: msmith:::::: First, we need to make sure that the passwd.adjunct map is built correctly. The makefile specifies the path to the file as $PWDIR/security/passwd.adjunct. If we look back we'll see that we altered the location of PWDIR to suit our split password files, so this is now set to /var/yp. This means the full pathname to our file is /var/yp/security/passwd.adjunct. The security directory doesn't exist by default so we'll create it (and make sure no one can read its contents): tin# cd /var/yp tin# mkdir security tin# chmod 700 security tin# Now we need to create the file. It will be based on the list of users we have in the "new" password file onlynone of the users in /etc/passwd will be in there as they will not be part of the NIS maps: tin# awk -F: '{ print $1"::::::" }' ./shadow > ./security/passwd.adjunct tin# cat ./security/passwd.adjunct testuser:::::: sysadmin:::::: msmith:::::: jgreen:::::: tin# Now let's build everything again and take another look at the passwd map. This time we shouldn't see the encrypted password: tin# make tin# ypcat passwd testuser:##testuser:500:100:Test User:/export/home/testuser:/bin/ksh sysadmin:##sysadmin:1000:14:System Administrator:/export/home/sysadmin:/bin/ksh msmith:##msmith:1001:10:Mike Smith:/export/home/msmith:/bin/ksh jgreen:##jgreen:1002:10:John Green:/export/home/jgreen:/bin/ksh tin# If we also check the passwd.adjunct map, it should show that we have the encrypted passwords stored there: tin# ypcat passwd.adjunct.byname testuser:*LK*::::::: sysadmin:*LK*::::::: msmith: EwkdU786nskOz::::::: jgreen:8CjcvwT4K.dxc:11556:::::: tin# Update the User Creation ScriptAgain We have to make one more update to our standard creation script to support these changes. We need to make sure that when users are added, they are also placed in the passwd.adjunct file. This is quite a simple entry since we already have all the information we need to add, so we'll do it at the same time that we update the new shadow file, as shown below: tin# cat /usr/local/utils/bin/createUsers <lines removed for clarity> tmpShadow=/tmp/shadow.$$ tmpPasswd=/tmp/passwd.$$ adjunctFile=/var/yp/security/passwd.adjunct <lines removed for clarity> # # now move the acount into the yp location # tail -1 /etc/passwd >> ${ypPasswdFile} tail -1 /etc/shadow >> ${ypShadowFile} echo "${user}::::::" >> ${adjunctFile} # # and strip them from the "main" password/shadow files # sed -e "/^${user}:/d" /etc/passwd > ${tmpPasswd} <lines removed for clarity> tin# | 
