3

Shadow passwords are to be avoided in a NIS server, as suggested in this guide at paragraph 7.6.

So: in a NIS server (a Unix or Unix-like system), should all the users be migrated to /etc/passwd from /etc/shadow?

And if not, how should one implement NIS?

Improve this question
6
  • Are you asking a specific user? Could you please edit and clarify what exactly you are asking? Commented Jan 14, 2015 at 14:07
  • @terdon No, I am asking to all users. Now I hope it is more clear. Commented Jan 14, 2015 at 14:15
  • OK, I edited to rephrase and make it clearer. Since you seem to be asking the same question, could you please delete your previous one and include the relevant information from it here instead? Commented Jan 14, 2015 at 14:23
  • @terdon It was not exactly the same question. Anyway, I deleted it to avoid confusion, following your advice. Commented Jan 14, 2015 at 14:45
  • If you still need an answer to your first question, then undelete it. You are asking about things I don't understand very well so I am not competent to judge whether they are the same or not. It's up to you. Sorry for the confusion. Commented Jan 14, 2015 at 14:46

1 Answer 1

Reset to default
2

What the above is talking about is on the client side.

To answer that, all users that can log-in (with the exception of root, see below) should not be in the local machine's /etc/passwd and /etc/shadow.

Instead, those users should be in the NIS server's /etc/passwd and /etc/shadow

  • Tip use NIS+ instead of NIS.
  • Tip that article was written in 2003, I might suggest a newer one :)

  • Why leave root in /etc/passwd and /etc/shadow?

    Suppose something bad happens (NIS server goes down, network is down, config file gets messed up), if root was removed, you'd have to reboot in runlevel 1 (or whatever the systemd equiviliant is) and then get the system back up and running. When you leave root's credentials on the box, you can log in live and do repairs. There are security risks involved, but follow best practices.

Improve this answer
5
  • I understand the necessity for root to remain local. So, you are stating that a NIS server should have a normal Linux configuration, with users in both /etc/passwd and /etc/shadow (and shadow passwords in the latter)? And a NIS client? How can the shadow be avoided, following the guide? Ok, you suggest to use NIS+, but I've read it is completely different from NIS. Maybe is it not completely true? Commented Jan 15, 2015 at 9:40
  • 1
    @BowPark Personally, I don't use NIS+, I use OpenLDAP/Kerberos so I can't answer that question for you. However, to answer the first question: yes, your NIS server will be will be like a regular machine and all of the users and passwords are stored in /etc/passwd and /etc/shadow. Do not merge them as any modernish linux (>2.4) will be able to handle /etc/shadow passwords and will have pam(8). If you have to merge them then use unshadow(8), but I'd just skip those instructions. Commented Jan 15, 2015 at 16:54
  • So, for the clients you would simply ignore that instructions (the advices about avoiding shadow in the 2003-guide)? I agree(d) with you, but the fact is that the client doesn't work! Maybe this system is too old. Commented Jan 15, 2015 at 16:58
  • For the clients, you only need the following: 1) edit /etc/yp.conf 2) edit /etc/nssswitch.conf 3) start ypbind. At least that is what my notes say from 2011. Commented Jan 15, 2015 at 17:22
  • @BowPark For the clients, you only need the following: 1) edit /etc/yp.conf 2) edit /etc/nssswitch.conf 3) start ypbind. At least that is what my notes say from 2011. Commented Jan 16, 2015 at 16:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.