My original question:
I am running an NIS environment and would like to get away from it for
several reasons. If possible, I would like to change to some sort of
cron/rdist/ssh distribution of passwd files and shadow passwords. In
an environment that includes Tru64 4.0E, SunOS 4.1.4, Solaris 2.6 and
Linux, this looks complicated, as only Linux and Solaris share the same
shadow password file format.
Before I set about writing a bunch of scripts to convert formats, has
anyone done anything like this?
Thanks to everyone who responded. The gist of it is that it's a tough
problem.
Douglas C Stephens (stephens_at_ameslab.gov) mentioned a local perl
script that does stateful comparison of the password hash between
passwd and prpasswd, and is run via the yp Makefile. He also
suggested a commercial product called P-Synch (www.p-synch.com) that
does web based passwd sync on many platforms. I will look into this
product.
Gerardo Mendoza Polo (gmendo96_at_alfa.lci.ulsa.mx) reports that Tru64
5.0 can do shadow passwords as one option instead of the current
enhanced security. That would solve it for me if only I could push my
few remaining SunOS 4.1.4 hosts off a cliff :-)
Jim Jennis (jjennis_at_discovery.fuentez.com) suggests, probably
correctly, that the best way to do what I want is via Kerberos or
DCE. We are also considering the Kerberos option.
Ken Kleiner (ken_at_cs.uml.edu) asked why I wanted to move away from
NIS. Here's my answer to him:
Even with shadow files, yp commands will report the encrypted password
field. Even if you change permissions on the yp commands so that only
root can run them, the getpw* system calls will go through NIS to find
and report the password field, so anyone can write a simple C program
to get hold of them. I suppose you could re-write the system calls
and build new libraries, but that's kind of beyond me considering how
many machines I've got to support. Anyway, the point is that NIS sort
of defeats the purpose of the shadow file.
So I'll be looking at P-Synch and perhaps setting up a Kerberos
server. If anyone does have a nice way around this, please let me
know.
==BD
Received on Thu Mar 09 2000 - 02:01:40 NZDT