hiding encrypted password in ypcat passwd

Tony

unread,

Jul 30, 2002, 1:26:02 PM7/30/02

to

When I run ypcat passwd, as a regular user

I am seeing the encrypted password for all users.

How can I hide these encrpted password and show only an "x" in place of the
encrypted password?

William MacLeod

unread,

Jul 30, 2002, 6:27:49 PM7/30/02

to

On Tue, 30 Jul 2002 18:26:02 +0100, Tony wrote:

> When I run ypcat passwd, as a regular user
>
> I am seeing the encrypted password for all users.

Did you read the reply I posted to one of your earlier posts? Do you
have a real good reason for persisting with NIS?

> How can I hide these encrpted password and show only an "x" in place of
> the encrypted password?

add the following lines into /etc/ypserv.conf and restart ypserv:

* : passwd.byname : port : yes
* : passwd.byuid : port : yes
# No, I'm still not secure...

Regards

William MacLeod

Tony

unread,

Jul 31, 2002, 1:57:21 AM7/31/02

to

My useers cannot log on now

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message
news:pan.2002.07.30.22.27.47.612189.19253@nospam.&macleod-group.com...

William MacLeod

unread,

Jul 31, 2002, 9:44:10 AM7/31/02

to

On Wed, 31 Jul 2002 06:57:21 +0100, Tony wrote:

> My useers cannot log on now

Might be helpful if you would share some error messages, and the full
contents of /etc/ypserv.conf. Plus tell us what your client machines are
running.

Regards

William MacLeod

Tony

unread,

Jul 31, 2002, 1:00:43 PM7/31/02

to

#
# ypserv.conf In this file you can set certain options for the NIS server,
# and you can deny or restrict access to certain maps based
# on the originating host.
#
# See ypserv.conf(5) for a description of the syntax.
#

# Some options for ypserv. This things are all not needed, if
# you have a Linux net.

# Should we do DNS lookups for hosts not found in the hosts table ?
# This option is ignored in the moment.
dns: no

# How many map file handles should be cached ?
files: 30

# xfr requests are only allowed from ports < 1024
xfr_check_port: yes

# The following, when uncommented, will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.

# Host : Domain : Map : Security :
Passwd_mangle
#
* : * : passwd.byname : port :
yes
* : * : passwd.byuid : port :
yes

# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
* : * : shadow.byname : port :
yes
* : * : passwd.adjunct.byname : port :
yes

# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# * : * : * : none

client machines are running ypbind

William MacLeod

unread,

Jul 31, 2002, 6:22:35 PM7/31/02

to

On Wed, 31 Jul 2002 18:00:43 +0100, Tony wrote:

>
> # How many map file handles should be cached ?
> files: 30

Take this out for now. What distribution/version of Linux are you using?

> you have maps with YP_SECURE or YP_AUTHDES, you should create # a rule
> for them above, that's much faster.
> # * : * : * : none

Unhash this last line.

> client machines are running ypbind

What distribution/version are they?

Regards

William MacLeod

Tony

unread,

Jul 31, 2002, 8:26:32 PM7/31/02

to

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message

news:pan.2002.07.31.22.22.33.62977.5663@nospam.&macleod-group.com...

> On Wed, 31 Jul 2002 18:00:43 +0100, Tony wrote:
>
> >
> > # How many map file handles should be cached ?
> > files: 30
>
> Take this out for now. What distribution/version of Linux are you using?

Redhat linux 7.3

> > you have maps with YP_SECURE or YP_AUTHDES, you should create # a rule
> > for them above, that's much faster.
> > # * : * : * : none
>
> Unhash this last line.
>
> > client machines are running ypbind
>
> What distribution/version are they?

Redhat linux 7.3
ypbind (ypbind-mt) 1.10

>
> Regards
>
> William MacLeod

William MacLeod

unread,

Jul 31, 2002, 10:21:33 PM7/31/02

to

On Thu, 01 Aug 2002 01:26:32 +0100, Tony wrote:

>> > client machines are running ypbind
>>
>> What distribution/version are they?
>
> Redhat linux 7.3
> ypbind (ypbind-mt) 1.10

Fair enough, thought they may have been older. They working yet?

Regards

William MacLeod

Tony

unread,

Jul 31, 2002, 11:38:40 PM7/31/02

to

What do these lines do?

* : * : * : none

and

* : * : passwd.byname : port :
yes

#* : * : passwd.byuid : port :
yes

# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
* : * : shadow.byname : port :
yes
* : * : passwd.adjunct.byname : port :
yes

With this line uncommented

#* : * : passwd.byuid : port :
yes

I got this error when a regular user logged on

id: cannot find name for user ID 504

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message

news:pan.2002.08.01.02.21.15.235298.18696@nospam.&macleod-group.com...

William MacLeod

unread,

Aug 1, 2002, 12:21:36 AM8/1/02

to

On Thu, 01 Aug 2002 04:38:40 +0100, Tony wrote:

> What do these lines do?
>
>
> * : * : * : none

I've put a /etc/ypserv.conf and /var/yp/Makefile from a fairly recent
Redhat based machine (note: not Redhat) onto
http://macleod-group.com/tmp/ypserv.conf and http://*/tmp/Makefile

These do what you want them to do - go through them, they are commented.
Remember to rebuild maps with "ypinit -m" after making changes to the
makefile and restart the ypserver/client.

Regards

William MacLeod

Tony

unread,

Aug 1, 2002, 2:05:28 PM8/1/02

to

using your ypserv.conf, a regualr user is now able to do ypcat passwd and
show all the encrypted passwords. Why?

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message

news:pan.2002.08.01.04.21.33.762766.18696@nospam.&macleod-group.com...

William MacLeod

unread,

Aug 1, 2002, 2:47:38 PM8/1/02

to

On Thu, 01 Aug 2002 19:05:28 +0100, Tony wrote:

> using your ypserv.conf, a regualr user is now able to do ypcat passwd
> and show all the encrypted passwords. Why?

That same ypserv.conf doesn't show encrypted passwords in the setup it's
in over here. Did you go through your Makefile as well and amend as
necessary the maps to build? And then rebuild the maps?

I don't know what's up with your setup if it's still showing encrypted
passwords. I personally think you're wasting your time - if you need
security, then forget NIS! Try just dropping my files right into your
master NIS server after first copying your into a safe place, then
rebuild your maps, restart services.

Regards

William MacLeod

Tony

unread,

Aug 1, 2002, 3:42:53 PM8/1/02

to

Ok another question which is off topic. How did you get your apache server
to show 0.0.0 version? I got apache running (rpm version) where do I go to
edit the version out?

Thanks

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message

news:pan.2002.08.01.18.47.37.166870.18696@nospam.&macleod-group.com...

Tony

unread,

Aug 1, 2002, 4:50:51 PM8/1/02

to

Ok I dont know why but had to add this in

: Domain
: *
: *

"William MacLeod" <willie@nospam.&macleod-group.com> wrote in message

news:pan.2002.08.01.18.47.37.166870.18696@nospam.&macleod-group.com...

William MacLeod

unread,

Aug 1, 2002, 5:06:38 PM8/1/02

to

On Thu, 01 Aug 2002 20:42:53 +0100, Tony wrote:

> Ok another question which is off topic. How did you get your apache
> server to show 0.0.0 version? I got apache running (rpm version) where
> do I go to edit the version out?

With relatively new apache, using servertokens in httpd.conf is by far
the easiest way forward:

http://httpd.apache.org/docs/mod/core.html#servertokens

Or else you could download the source and edit
src/include/httpd.h to show 0.0.0 for #define SERVER_BASEVERSION

Not my machine though ;)

Regards

William MacLeod