NIS howto, any updates

I am considering trying NIS again. I used it some time ago
with wonderful results on my slackware 3.9 system. Yet it seems that
the NIS HOWTO that came with slackware 8.0 is confusing as hell. First
it suggests NOT using shadow passwords for both compatibility with
older NIS clients and security. Yet... Looks like Slackware 8.0
ENABLES shadow passwords from looking at the in the /var/yp/Makefile.
My question is.. should I run pwunconv and disable the
shadow support or leave it enabled?
Seems to me that if I keep the shadow stuff in NIS I am just
as easily hackable than if I didn't, I also need to maintain
compatibility with older NIS systems.
My frustration is... the HOWTO seems to leave me wondering if
I need to do more setup than what is shown.

--
From the Desk of the Sysop of:
Planet Maca's Opus, a Free open BBS system.
Telephone 860-738-7176 300-33.6kbps Telnet://pinkrose.net.dhis.org
The New Cnews maintainer
B'ichela

B'ichela <(E-Mail Removed)> wrote:
> with wonderful results on my slackware 3.9 system. Yet it seems that
> the NIS HOWTO that came with slackware 8.0 is confusing as hell. First
> it suggests NOT using shadow passwords for both compatibility with

Yes, I agree. There's no real point. If you are worried about passwords
being broken by people on your net, then (a) throw them off, (b) test
the passwords yourself first!

> older NIS clients and security. Yet... Looks like Slackware 8.0
> ENABLES shadow passwords from looking at the in the /var/yp/Makefile.

Nothing wrong with that either. Just not generally worth the bother.
If somebody has a weak password, then tell 'em to change it, or improve
your passwd vetoing scheme! There are much more wonderful ways of
breaking systems available to people already inside your local net, such
as getting root via a local hole, and then sniffing whatever they like
anywhere, anyhow. And if you run nfs, there is always the
nfs/.ssh/.rhosts perfectly fair winning attack.

But yes, there are always about 10 weak passwords on a 1000 user net.
Using shadow would obscure them. But 95% of the owners are already so
dozy that they wouldn't recognize their own files anyway, so why bother
going out of your way to protect them? They're the weakest link, not
you! They probably have their password stencilled on their forehead.

> My question is.. should I run pwunconv and disable the
> shadow support or leave it enabled?

I'd leave it be, if it is working! Why should you ask the question?
What harm do you expect to accrue from leaving it as it is?

> Seems to me that if I keep the shadow stuff in NIS I am just
> as easily hackable than if I didn't, I also need to maintain

No, you're not, because people on your local net can't read the passwd
map over NIS unless they already have root. Mind you, getting root
locally is the next thing on most crackers minds, once they are in.
Running "john" on the password file is a passtime while waiting to see
if any of the other scripz craqz zumzing.

> compatibility with older NIS systems.
> My frustration is... the HOWTO seems to leave me wondering if
> I need to do more setup than what is shown.

Well, fix that. Stop wondering.

Peter

On Wed, 31 Dec 2003 22:30:51 +0000, B'ichela wrote:

> Seems to me that if I keep the shadow stuff in NIS I am just
> as easily hackable than if I didn't, I also need to maintain
> compatibility with older NIS systems.

It's your compatibilty which is the driving issue here. If they support
shadow then you'll be fine.

If you're worried about security, then use LDAP. NIS/NIS+ are
fundamentally insecure - and even Sun is pushing LDAP these days.