April 2008

Leopard and NIS and C2 Security

With NIS, one suggestion for improving security is to move to NIS plus. At this point we're much more likely to go to LDAP than NIS plus, because NIS plus was never that successful, and viewed as a pain to set up. LDAP doesn't solve many more problems for us (no PCs to deal with), but everybody's doing it.

But until then, we still have NIS, and we want to hide our passwords from our users, and the odd hacker that breaks through our defenses. So, on the suns you can turn on C2 security, and use shadow passwords.

The way this works within NIS is that there's a map called "passwd.adjunct" which has the actual passwords. But the catch is that to get to this map, you have to connect to a NIS server from a secure port, which means you have to be root on the machine. And before you write me and tell me how horrible this is, let me say that with proper control over access to subnets (no Windows on our trusted subnets for example), and firewalling, this can be done with perfectly reasonble security.

Unfortunately, neither Tiger nor Leopard seemed to support this map. But after reviewing Leopard source code, there was support there for a NIS map named "shadow.byname". So I duplicated the secure NIS map passwd.adjunt as shadow.byname (using the exact same format, just as a guess), and Leopard picked it up immediately and used it. Unfortunately Tiger also does not support this map. We will have to run a temporary NIS domain only for Tiger systems, and work to upgrade all of our Tiger systems to Leopard. We can live with this since it is only temporary.

More Mac OS X Stuff

Tom Fine's Home Send Me Email