Bugtraq mailing list archives

SUMMARY: Dropping YP (DBM passwd, shadow and netgroups?)

From: ault () cs albany edu (Jim Ault)
Date: Thu, 23 Mar 1995 17:49:59 EST


 I received quite a response!  Thanks for all your comments.
 Over 20 responses in under 24 hours.

 I received the following suggestions (in no particular order):

 1) ypfake (yp emulation routines) (ftp.cs.toronto.edu, I think)
 2) kerberos and hesiod (ftp to athena-dist.mit.edu)
 3) write your own with BU public domain finger (world.std.com)
 4) netbsd or bsd 4.4, they come with library routines and
        the BSD "db" database for passwd (with shadow).
        also: use rdist, track, (ftp.cs.toronto.edu:/pub/track.tar.Z)
        or sup to copy password files around.
 5) Shadow, by John Haugh <jfh () rpp386 cactus org>
    comp.sources.unix, does anyone have a current ftp site?
 6) NetView6000 (IBM) or Tivoli (commercial products: big $$)
     Tivoli supposedly can supplant YP and work with Kerberos.
 7) anlpasswd hacked backend and rdist to push:Bob Beck <beck () cs ualberta ca> 
 8) wrote my own: library of passwd routines with DBM lookup, similar
     to ConvexOS, by Jukka Ukkonen <ukkonen () csc fi>
 9) wrote my own:   "Dion Stempfley" <stempfld () CC IMS DISA MIL>

Good questions to consider:

1) Why are you dropping YP?  
2) What do you hope to gain by using another tool?  
3) Have you looked at NIS+?  
4) How big is you network?  
5) Do you have remote nodes which require support?


For me the answers are:

1) To improve security
2) Improved security, with reasonable performance (DBM lookups on /etc/passwd)
   that maintains netgroup support for exports,
   and a replacement for yppasswdd that provides:
   a) checking against cracklib 
   b) can run from any machine on my network
   c) allows chfn as well (bonus)
   d) shadow password support
3) No, we run SunOS 4.1.X
4) About 40 machines, All Sun except one SGI.
   About half are Sun3/XX running Xkernel using XDM
5) no. 
        
As I see the above responses, the most attractive option for me is Shadow,
because I believe it supports cracklib.  My only question is does it 
support netgroups?

Jim Ault, CS Sysadmin, SUNY Albany, NY 12222 USA  ault () cs albany edu   <><

Current thread:

Re: Satan_doc on Solaris 2.3 (fwd) Jeremy Foot (Mar 23)
- Re: Satan_doc on Solaris 2.3 (fwd) Edwin Kremer (Mar 23)
- SUMMARY: Dropping YP (DBM passwd, shadow and netgroups?) Jim Ault (Mar 23)
- <Possible follow-ups>
- Re: Satan_doc on Solaris 2.3 (fwd) Stephen Potter (Mar 24)