master.passwd.5 and various passwd.5 changes (diff)
Jeremy C. Reed
reed at reedmedia.net
Wed Jan 11 22:41:05 PST 2006
This adds master.passwd.5 file (same file as passwd.5).
And this changes FreeBSD (as appropriate to DragonFly).
Removes old documentation about older (FreeBSD) versions of YP.
(Maybe I should keep part of this, and reword?)
May I commit any of this?
Index: share/man/man5/Makefile
===================================================================
RCS file: /cvs/src/share/man/man5/Makefile,v
retrieving revision 1.7
diff -b -u -r1.7 Makefile
--- share/man/man5/Makefile 5 Aug 2005 10:13:43 -0000 1.7
+++ share/man/man5/Makefile 5 Oct 2005 23:07:10 -0000
@@ -20,5 +20,6 @@
MLINKS+=hosts.equiv.5 rhosts.5
MLINKS+=resolver.5 resolv.conf.5
MLINKS+=utmp.5 lastlog.5 utmp.5 wtmp.5
+MLINKS+=passwd.5 master.passwd.5
.include <bsd.prog.mk>
Index: share/man/man5/passwd.5
===================================================================
RCS file: /cvs/src/share/man/man5/passwd.5,v
retrieving revision 1.3
diff -b -u -r1.3 passwd.5
--- share/man/man5/passwd.5 11 Mar 2004 12:28:56 -0000 1.3
+++ share/man/man5/passwd.5 5 Oct 2005 23:27:20 -0000
@@ -37,7 +37,8 @@
.Dt PASSWD 5
.Os
.Sh NAME
-.Nm passwd
+.Nm passwd ,
+.Nm master.passwd
.Nd format of the password file
.Sh DESCRIPTION
The
@@ -197,7 +198,7 @@
.Sh YP/NIS INTERACTION
.Ss Enabling access to NIS passwd data
The system administrator can configure
-.Tn FreeBSD
+.Dx
to use NIS/YP for
its password information by adding special records to the
.Pa /etc/master.passwd
@@ -228,7 +229,7 @@
will tell the
.Xr getpwent 3
routines in
-.Tn FreeBSD Ns 's
+.Dx Ns 's
standard C library to begin using the NIS passwd maps
for lookups.
.Pp
@@ -400,7 +401,7 @@
it need not be modified again unless new netgroups are created.
.Sh NOTES
.Ss Shadow passwords through NIS
-.Tn FreeBSD
+.Dx
uses a shadow password scheme: users' encrypted passwords
are stored only in
.Pa /etc/master.passwd
@@ -414,16 +415,16 @@
NIS does not support a standard means of
password shadowing, which implies that placing your password data
into the NIS passwd maps totally defeats the security of
-.Tn FreeBSD Ns 's
+.Dx Ns 's
password shadowing system.
.Pp
-.Tn FreeBSD
+.Dx
provides a few special features to help get around this
problem.
It is possible to implement password shadowing between
-.Tn FreeBSD
+.Dx
NIS clients and
-.Tn FreeBSD
+.Dx
NIS servers.
The
.Xr getpwent 3
@@ -435,14 +436,15 @@
.Pa /etc/master.passwd
file.
If the maps exist,
-.Tn FreeBSD
+.Dx
will attempt to use them for user
authentication instead of the standard
.Pa passwd.byname
and
.Pa passwd.byuid
maps.
-.Tn FreeBSD Ns 's
+The
+.Dx
.Xr ypserv 8
will also check client requests to make sure they originate on a
privileged port.
@@ -460,7 +462,7 @@
maps which contain no password information.
.Pp
Note that this feature cannot be used in an environment with
-.No non- Ns Tn FreeBSD
+.No non- Ns Os
systems.
Note also that a truly determined user with
unrestricted access to your network could still compromise the
@@ -470,7 +472,7 @@
Unlike
.Tn SunOS
and other operating systems that use Sun's NIS code,
-.Tn FreeBSD
+.Dx
allows the user to override
.Pa all
of the fields in a user's NIS
@@ -499,7 +501,7 @@
.Ed
This often leads to new
-.Tn FreeBSD
+.Dx
administrators choosing NIS entries for their
.Pa master.passwd
files that look like this:
@@ -516,7 +518,7 @@
.Pa master.passwd
.Sy FILE!!
The first tells
-.Tn FreeBSD
+.Dx
to remap all passwords to
.Ql \&*
(which
@@ -564,7 +566,7 @@
instead of simple wildcards, other combinations could be achieved.)
.Pp
By contrast,
-.Fx
+.Dx
does not have a single
.Tn ASCII
password file: it
@@ -579,7 +581,7 @@
and
.Fn getpwuid
functions in
-.Tn FreeBSD
+.Dx
are designed to do direct queries to the
hash database rather than a linear search.
This approach is faster
@@ -591,7 +593,7 @@
.Tn SunOS .
.Pp
Instead,
-.Tn FreeBSD
+.Dx
groups all the NIS override entries together
and constructs a filter out of them.
Each NIS password entry
@@ -614,7 +616,7 @@
file, since doing otherwise would lead to unpredictable behavior.
.Pp
The end result is that
-.Tn FreeBSD Ns 's
+.Dx
provides a very close approximation
of
.Tn SunOS Ns 's
@@ -639,7 +641,7 @@
.El
.Pp
In 99% of all
-.Tn FreeBSD
+.Dx
configurations, NIS client behavior will be
indistinguishable from that of
.Tn SunOS
@@ -648,7 +650,7 @@
so, users should be aware of these architectural differences.
.Pp
.Ss Using groups instead of netgroups for NIS overrides
-.Tn FreeBSD
+.Dx
offers the capability to do override matching based on
user groups rather than netgroups.
If, for example, an NIS entry
@@ -665,57 +667,6 @@
will try to match users against the normal
.Ql operator
group instead.
-.Ss Changes in behavior from older versions of
-.Dx
-There have been several bug fixes and improvements in
-.Dx Ns 's
-NIS/YP handling, some of which have caused changes in behavior.
-While the behavior changes are generally positive, it is important
-that users and system administrators be aware of them:
-.Bl -enum -offset indent
-.It
-In versions prior to 2.0.5, reverse lookups (i.e. using
-.Fn getpwuid )
-would not have overrides applied, which is to say that it
-was possible for
-.Fn getpwuid
-to return a login name that
-.Fn getpwnam
-would not recognize.
-This has been fixed: overrides specified
-in
-.Pa /etc/master.passwd
-now apply to all
-.Xr getpwent 3
-functions.
-.It
-Prior to
-.Fx 2.0.5 ,
-netgroup overrides did not work at
-all, largely because
-.Tn FreeBSD
-did not have support for reading
-netgroups through NIS.
-Again, this has been fixed, and
-netgroups can be specified just as in
-.Tn SunOS
-and similar NIS-capable
-systems.
-.It
-.Dx
-now has NIS server capabilities and supports the use
-of
-.Pa master.passwd
-NIS maps in addition to the standard Sixth Edition format
-.Pa passwd
-maps.
-This means that you can specify change, expiration and class
-information through NIS, provided you use a
-.Dx
-or
-.Fx
-system as
-the NIS server.
.El
.Sh FILES
.Bl -tag -width /etc/master.passwd -compact
@@ -796,8 +747,8 @@
The YP/NIS functionality is modeled after
.Tn SunOS
and first appeared in
-.Fx 1.1
-The override capability is new in
+.Fx 1.1 .
+The override capability was new in
.Fx 2.0 .
The override capability was updated to properly support netgroups
in
More information about the Submit
mailing list