Bug #55
closedmaster.passwd.5 and various passwd.5 changes (diff)
0%
Description
This adds master.passwd.5 file (same file as passwd.5).
And this changes FreeBSD (as appropriate to DragonFly).
Removes old documentation about older (FreeBSD) versions of YP.
(Maybe I should keep part of this, and reword?)
May I commit any of this?
Index: share/man/man5/Makefile
===================================================================
RCS file: /cvs/src/share/man/man5/Makefile,v
retrieving revision 1.7
diff b -u -r1.7 Makefile share/man/man5/Makefile 5 Aug 2005 10:13:43 -0000 1.7
--
++ share/man/man5/Makefile 5 Oct 2005 23:07:10 -0000@ -20,5 +20,6
@
MLINKS=hosts.equiv.5 rhosts.5
MLINKS+=resolver.5 resolv.conf.5
MLINKS+=utmp.5 lastlog.5 utmp.5 wtmp.5
MLINKS=passwd.5 master.passwd.5
===================================================================
RCS file: /cvs/src/share/man/man5/passwd.5,v
retrieving revision 1.3
diff b -u -r1.3 passwd.5 share/man/man5/passwd.5 11 Mar 2004 12:28:56
--0000 1.3.Nm passwd
++ share/man/man5/passwd.5 5 Oct 2005 23:27:20 -0000@ -37,7 +37,8
@
.Dt PASSWD 5
.Os
.Sh NAME
.Nm passwd ,
.Nm master.passwd
.Nd format of the password file
.Sh DESCRIPTION
The@ -197,7 +198,7
@
.Sh YP/NIS INTERACTION
.Ss Enabling access to NIS passwd data
The system administrator can configure.Tn FreeBSD.Dx
to use NIS/YP for
its password information by adding special records to the
.Pa /etc/master.passwd@ -228,7 +229,7
@
will tell the
.Xr getpwent 3
routines in
.Tn FreeBSD Ns 's
.Dx Ns 's
standard C library to begin using the NIS passwd maps
for lookups.
.Pp@ -400,7 +401,7
@
it need not be modified again unless new netgroups are created.
.Sh NOTES
.Ss Shadow passwords through NIS.Tn FreeBSD.Dx
uses a shadow password scheme: users' encrypted passwords
are stored only in
.Pa /etc/master.passwd@ -414,16 +415,16
@
NIS does not support a standard means of
password shadowing, which implies that placing your password data
into the NIS passwd maps totally defeats the security of
.Tn FreeBSD Ns 's
.Dx Ns 's
password shadowing system.
.Pp.Tn FreeBSD.Dx
provides a few special features to help get around this
problem.
It is possible to implement password shadowing between
.Tn FreeBSD
.Dx
NIS clients and.Tn FreeBSD.Dx
NIS servers.
The
.Xr getpwent 3@ -435,14 +436,15
@
.Pa /etc/master.passwd
file.
If the maps exist,
.Tn FreeBSD
.Dx
will attempt to use them for user
authentication instead of the standard
.Pa passwd.byname
and
.Pa passwd.byuid
maps..Tn FreeBSD Ns 's.Dx
+The
.Xr ypserv 8
will also check client requests to make sure they originate on a
privileged port.@ -460,7 +462,7
@
maps which contain no password information.
.Pp
Note that this feature cannot be used in an environment with
.No non- Ns Tn FreeBSD
.No non- Ns Os
systems.
Note also that a truly determined user with
unrestricted access to your network could still compromise the@ -470,7 +472,7
@
Unlike
.Tn SunOS
and other operating systems that use Sun's NIS code,
-.Tn FreeBSD
.Dx
allows the user to override
.Pa all
of the fields in a user's NIS@ -499,7 +501,7
@
.Ed
This often leads to new
.Tn FreeBSD
.Dx
administrators choosing NIS entries for their
.Pa master.passwd
files that look like this:
@ -516,7 +518,7
@
.Pa master.passwd
.Sy FILE!!
The first tells
.Tn FreeBSD
.Dx
to remap all passwords to
.Ql \&*
(which
@ -564,7 +566,7
@
instead of simple wildcards, other combinations could be achieved.)
.Pp
By contrast,
.Fx
.Dx
does not have a single
.Tn ASCII
password file: it
@ -579,7 +581,7
@
and
.Fn getpwuid
functions in
.Tn FreeBSD
.Dx
are designed to do direct queries to the
hash database rather than a linear search.
This approach is faster
@ -591,7 +593,7
@
.Tn SunOS .
.Pp
Instead,
.Tn FreeBSD
.Dx
groups all the NIS override entries together
and constructs a filter out of them.
Each NIS password entry
@ -614,7 +616,7
@
file, since doing otherwise would lead to unpredictable behavior.
.Pp
The end result is that
.Tn FreeBSD Ns 's
.Dx
provides a very close approximation
of
.Tn SunOS Ns 's
@ -639,7 +641,7
@
.El
.Pp
In 99% of all
.Tn FreeBSD
.Dx
configurations, NIS client behavior will be
indistinguishable from that of
.Tn SunOS
@ -648,7 +650,7
@
so, users should be aware of these architectural differences.
.Pp
.Ss Using groups instead of netgroups for NIS overrides
.Tn FreeBSD
.Dx
offers the capability to do override matching based on
user groups rather than netgroups.
If, for example, an NIS entry
@ -665,57 +667,6
@
will try to match users against the normal
.Ql operator
group instead.
.Ss Changes in behavior from older versions of
.Dx
There have been several bug fixes and improvements in
.Dx Ns 's
NIS/YP handling, some of which have caused changes in behavior.
-While the behavior changes are generally positive, it is important
-that users and system administrators be aware of them:
.Bl enum -offset indent
.It
In versions prior to 2.0.5, reverse lookups (i.e. using
.Fn getpwuid )
would not have overrides applied, which is to say that it
-was possible for
.Fn getpwuid
to return a login name that
.Fn getpwnam
would not recognize.
-This has been fixed: overrides specified
-in
.Pa /etc/master.passwd
now apply to all
.Xr getpwent 3
functions.
.It
Prior to
.Fx 2.0.5 ,
netgroup overrides did not work at
-all, largely because
.Tn FreeBSD
did not have support for reading
-netgroups through NIS.
-Again, this has been fixed, and
-netgroups can be specified just as in
.Tn SunOS
and similar NIS-capable
-systems.
.It
.Dx
-now has NIS server capabilities and supports the use
-of
.Pa master.passwd
NIS maps in addition to the standard Sixth Edition format
.Pa passwd
maps.
-This means that you can specify change, expiration and class
-information through NIS, provided you use a
.Dx
or
.Fx
system as
-the NIS server.
.El
.Sh FILES
.Bl -tag -width /etc/master.passwd -compact
@ -796,8 +747,8
@
The YP/NIS functionality is modeled after
.Tn SunOS
and first appeared in
.Fx 1.1
-The override capability is new in
+.Fx 1.1 .
+The override capability was new in
.Fx 2.0 .
The override capability was updated to properly support netgroups
in
Updated by swildner almost 19 years ago
Jeremy C. Reed wrote:
This adds master.passwd.5 file (same file as passwd.5).
And this changes FreeBSD (as appropriate to DragonFly).
Removes old documentation about older (FreeBSD) versions of YP.
(Maybe I should keep part of this, and reword?)May I commit any of this?
Looks good to me. One minor nit, though. Instead of
.Dx Ns 's
use the .Ap macro (see mdoc(7)). Like this:
.Dx Ap s
Thanks.
Sascha