Configuring the Network Information Service (NIS)

NIS interaction with security modes

The installation of the NIS Runtime System compromises C2 security and reduces your ability to maintain a secure system. With NIS installed, it is relatively easy to change the master machine and change all the passwords on all systems in the network. Also, passwords (in encrypted form) are stored in text files and can be read by anyone with the correct privileges. If you are concerned with security, NIS may not be an appropriate service for your system.

See also:

Security limitations on configuration

To preserve the integrity of trusted databases, NIS may not modify certain sensitive files within a C2 Secure system. Although SCO NIS operates on a system with any of the security defaults (High, Improved, Traditional, and Low), the password and group databases are updated by NIS only in the security defaults that use /etc/passwd and /etc/group as the master databases. This condition is true if Traditional or Low security (Unsecure Mode) is chosen at installation time. If High or Improved security (Secure Mode) is chosen, the Trusted Computing Base (TCB) manages /etc/passwd and /etc/group and does not allow NIS to update these files.

Only copy-only NIS servers and clients can be initialized in Secure Mode settings on SCO OpenServer systems. These servers may receive maps, but they cannot propagate them. In addition, if a copy-only server in Secure Mode receives a password or group map, it cannot translate these maps into /etc/passwd or /etc/group ASCII files.

Clients that include NIS maps in their /etc/passwd or /etc/group files circumvent TCB and are not C2 Secure.

``Security configurations for SCO NIS servers and clients'', lists the security configurations permitted for each type of SCO NIS server and client.

Security configurations for SCO NIS servers and clients

SCO NIS server or client type Permitted security settings
master or slave Unsecure Mode only (Traditional or Low)
copy-only or client Secure Mode (High or Improved) or Unsecure Mode (Traditional or Low)

These security precautions help prevent unauthorized NIS password and group information from reaching SCO OpenServer hosts. However, the same security precautions may not be available for client implementations running on systems other than SCO OpenServer. Consult your documentation for NIS client implementations if you are concerned with security.

See also:

Map integration restrictions in Secure Mode

If your copy-only server is configured with one of the Secure Mode defaults, its map2ascii files will prevent any passwd or group maps from being integrated, regardless of their source.

WARNING: Do not attempt to circumvent C2 security restrictions by removing security checks from the map2ascii files. Doing so may cause unpredictable behavior and is therefore an unsupported modification.

Special NIS password change

When you change a password using the passwd(C) command when NIS is not enabled on your system, the entry given in the system password database file is changed. When NIS is enabled, you also use passwd to change your password. The passwd command is then a link to the yppasswd(NC) command. (The original /bin/passwd file is stored at /usr/lib/nisrt/bin/passwd and a link to /bin/yppasswd is made.) To enable NIS password service, you must start up the server daemon, yppasswdd(NADM), on the machine serving as the master for the NIS password file.

If the file /etc/ptmp exists, you will receive the following message when you try to change a password:

   yppasswd: password file busy - try again
The file /etc/ptmp is a lock file that indicates a previous invocation of yppasswd still exists. This file can be removed to unlock the password file.

See the yppasswd(NC) manual page for a list of error codes.

Next topic: NIS logfiles
Previous topic: Using NIS maps in the group file

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003