Re: Security Configuration Settings?

• Previous message: James Lick: "Re: Security Configuration Settings?"
• Maybe in reply to: El C0chin0: "Security Configuration Settings?"
• Next in thread: Wiest, Damian: "RE: Security Configuration Settings?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Sep 2004 09:23:02 -0700 (PDT)
To: mr.nasty@ix.netcom.com, focus-sun@securityfocus.com, jdavid@skynet.be

> From: "Jan David" <jdavid@skynet.be>
> Date: Thu, 23 Sep 2004 00:24:48 +0200
>
> The compat setting allows you to add an extra pseudo database called
> 'passwd_compat'. Here you can specify an alternative database, next to
> files.
>
> E.g.:
>
> passwd: compat
> passwd_compat: ldap
>
> The meaning of this is as follows: Search the local /etc/passwd file and if
> you encounter any entries with the "+" or "-" syntax, process them and look
> them up in LDAP. Of course, if you're using NIS, put nis as the keyword. The
> same goes for nis+.
>
> In your /etc/passwd file, you can now have such entries as:
>
> +elcochino:x:::::

The thing you must be careful with is to ensure that the "x" is not
present when you add the string above to /etc/passwd. Whatever is in
the /etc/passwd file for "compat" entries OVER-RIDES what is in
LDAP/NIS... And there are not *too* many hash functions that will take
a "normal" password and give back ONE char - the "x"... So the string
to add to /etc/passwd is:

+elcochino::::::

This tells the system to get ALL user info from LDAP/NIS. After you
add the line, be sure to run pwconv to sync /etc/passwd and
/etc/shadow.

Compat mode also allows you to add netgroups instead of lists of users
to passwd.

Instead of adding bunches of users, you can add +@netgroup:::::: to
/etc/passwd.

Regards,
Gregory Hicks

>
> Meaning that the user "elcochine" can be found in the LDAP database and is
> allowed access to the system.
> This mechanism also allows you to use netgroups. E.g:
>
> +@sysadmins:x:::::
>
> This would allow all the users in the NIS (or LDAP) netgroup called
> 'sysadmins' to have access to the system.
>
> Make sure that the /etc/shadow file has the same entries and that the
> password field is empty (I use LDAP at work and if the password field in
> /etc/shadow is not empty for a netgroup, nobody from that group can login).
>
> Note that there is also a similar system for groups:
>
> group: compat
> group_compat: nis [nis+] [ldap]
>
> Now that we've covered this topic, let me just state that it is impossible
> to create a secure system if you're using NIS. Since nis is inherently
> insecure, there is no way of securing the machine.
>
> At the very least use something like nis+ (I wouldn't use it because of the
> complexity) or even better ldap (but also with encrypted communication).
>
> Hope this helps,
>
> Jan
>
> ----- Original Message -----
> From: "El C0chin0" <mr.nasty@ix.netcom.com>
> To: <focus-sun@securityfocus.com>
> Sent: Tuesday, September 21, 2004 3:34 PM
> Subject: Security Configuration Settings?
>
>
> >
> >
> > Im in the process of trying to secure a SunOS name 5.8 Generic_108528-29
> sun4u sparc SUNW,Sun-Fire-280R, using settings per
> http://sabernet.home.comcast.net/papers/Solaris.html. I have a few
> questions about the settings and due to the fact that this box is supposed
> to look as much like a production box but I have no budget for things like
> 'stronghold' etc. I must use as much free ware as possible.
> >
> > On the above mentioned page under "Access Controls" section 4 'Only add
> accounts for users who require access to the system. If using NIS, use the
> compat mode by editing the /etc/nsswitch.conf file:
> >
> > passwd: compat'
> >
> > I don't understand and haven't been able to find anything related to what
> describes 'compat'. Can any one provide me with why it is a good measure to
> change this from 'files' to 'compat' and what other changes may be necessary
> or what exactly is the difference?
> >
> > Thanks
> >
> > I can only hope the moderators of this group find this worthy of being
> posted.
> >
> >
>
>

-------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
San Jose, CA 95134 | Internet: ghicks@cadence.com

I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

• Previous message: James Lick: "Re: Security Configuration Settings?"
• Maybe in reply to: El C0chin0: "Security Configuration Settings?"
• Next in thread: Wiest, Damian: "RE: Security Configuration Settings?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]