Re: Security Configuration Settings?

From: Gregory Hicks (
Date: 09/23/04

  • Next message: Wiest, Damian: "RE: Security Configuration Settings?"
    Date: Thu, 23 Sep 2004 09:23:02 -0700 (PDT)

    > From: "Jan David" <>
    > Date: Thu, 23 Sep 2004 00:24:48 +0200
    > The compat setting allows you to add an extra pseudo database called
    > 'passwd_compat'. Here you can specify an alternative database, next to
    > files.
    > E.g.:
    > passwd: compat
    > passwd_compat: ldap
    > The meaning of this is as follows: Search the local /etc/passwd file and if
    > you encounter any entries with the "+" or "-" syntax, process them and look
    > them up in LDAP. Of course, if you're using NIS, put nis as the keyword. The
    > same goes for nis+.
    > In your /etc/passwd file, you can now have such entries as:
    > +elcochino:x:::::

    The thing you must be careful with is to ensure that the "x" is not
    present when you add the string above to /etc/passwd. Whatever is in
    the /etc/passwd file for "compat" entries OVER-RIDES what is in
    LDAP/NIS... And there are not *too* many hash functions that will take
    a "normal" password and give back ONE char - the "x"... So the string
    to add to /etc/passwd is:


    This tells the system to get ALL user info from LDAP/NIS. After you
    add the line, be sure to run pwconv to sync /etc/passwd and

    Compat mode also allows you to add netgroups instead of lists of users
    to passwd.

    Instead of adding bunches of users, you can add +@netgroup:::::: to

    Gregory Hicks

    > Meaning that the user "elcochine" can be found in the LDAP database and is
    > allowed access to the system.
    > This mechanism also allows you to use netgroups. E.g:
    > +@sysadmins:x:::::
    > This would allow all the users in the NIS (or LDAP) netgroup called
    > 'sysadmins' to have access to the system.
    > Make sure that the /etc/shadow file has the same entries and that the
    > password field is empty (I use LDAP at work and if the password field in
    > /etc/shadow is not empty for a netgroup, nobody from that group can login).
    > Note that there is also a similar system for groups:
    > group: compat
    > group_compat: nis [nis+] [ldap]
    > Now that we've covered this topic, let me just state that it is impossible
    > to create a secure system if you're using NIS. Since nis is inherently
    > insecure, there is no way of securing the machine.
    > At the very least use something like nis+ (I wouldn't use it because of the
    > complexity) or even better ldap (but also with encrypted communication).
    > Hope this helps,
    > Jan
    > ----- Original Message -----
    > From: "El C0chin0" <>
    > To: <>
    > Sent: Tuesday, September 21, 2004 3:34 PM
    > Subject: Security Configuration Settings?
    > >
    > >
    > > Im in the process of trying to secure a SunOS name 5.8 Generic_108528-29
    > sun4u sparc SUNW,Sun-Fire-280R, using settings per
    > I have a few
    > questions about the settings and due to the fact that this box is supposed
    > to look as much like a production box but I have no budget for things like
    > 'stronghold' etc. I must use as much free ware as possible.
    > >
    > > On the above mentioned page under "Access Controls" section 4 'Only add
    > accounts for users who require access to the system. If using NIS, use the
    > compat mode by editing the /etc/nsswitch.conf file:
    > >
    > > passwd: compat'
    > >
    > > I don't understand and haven't been able to find anything related to what
    > describes 'compat'. Can any one provide me with why it is a good measure to
    > change this from 'files' to 'compat' and what other changes may be necessary
    > or what exactly is the difference?
    > >
    > > Thanks
    > >
    > > I can only hope the moderators of this group find this worthy of being
    > posted.
    > >
    > >

    Gregory Hicks | Principal Systems Engineer
    Cadence Design Systems | Direct: 408.576.3609
    555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
    San Jose, CA 95134 | Internet:

    I am perfectly capable of learning from my mistakes. I will surely
    learn a great deal today.

    "A democracy is a sheep and two wolves deciding on what to have for
    lunch. Freedom is a well armed sheep contesting the results of the
    decision." - Benjamin Franklin

    "The best we can hope for concerning the people at large is that they
    be properly armed." --Alexander Hamilton

  • Next message: Wiest, Damian: "RE: Security Configuration Settings?"

    Relevant Pages