diff --git a/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html b/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html
new file mode 100644
index 0000000..958501b
--- /dev/null
+++ b/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html
@@ -0,0 +1,20 @@
+<!--# set var="title" value="Why isn’t mod_auth_pam working with NIS?" -->
+<!--# set var="date" value="February 26, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+<p>If you’re trying to authenticate against NIS from Apache using mod_auth_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports &lt; 1024. If you check your NIS server logs, you’ll find request authentication errors.</p>
+
+<p>If the server you’re running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isn’t much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add:</p>
+
+<pre><code>&lt;client IP address&gt;:*:shadow.byname:none
+</code></pre>
+
+<p>Then restart ypserv et all. In Debian:</p>
+
+<pre><code>/etc/init.d/nis restart
+</code></pre>
+
+<p>If your client machine does have untrusted users, there isn’t a nice solution, as far as I know.</p>
+
+<!--# include file="include/bottom.html" -->
diff --git a/index.html b/index.html
index 8e080db..5b33ea2 100644
--- a/index.html
+++ b/index.html
@@ -38,9 +38,10 @@
 <li>2010-Mar-26: <a href="2010-03-26-fun-with-map-visualizations.html">Fun with map visualizations</a></li>
 <li>2010-Mar-09: <a href="2010-03-09-karaoke-project.html">Karaoke project</a></li>
 <li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li>
-<li>2009-Feb-26: <a href="2006-02-26-sctp-part-1.html">SCTP Part #1</a></li>
 <li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li>
 <li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li>
+<li>2006-Feb-26: <a href="2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html">Why isn’t mod_auth_pam working with NIS?</a></li>
+<li>2006-Feb-26: <a href="2006-02-26-sctp-part-1.html">SCTP Part #1</a></li>
 <li>2006-Feb-13: <a href="2006-02-13-is-sleep-effected-by-time-changes.html">Is sleep(3) effected by time changes?</a></li>
 <li>2006-Feb-09: <a href="2006-02-09-convert-all-tables-to-innodb.html">Convert all tables to InnoDB</a></li>
 <li>2006-Feb-09: <a href="2006-02-09-php-perl-ruby-exploit.html">PHP/PERL/Ruby exploit</a></li>
diff --git a/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md b/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md
new file mode 100644
index 0000000..dd4557a
--- /dev/null
+++ b/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md
@@ -0,0 +1,18 @@
+<!--# set var="title" value="Why isn’t mod_auth_pam working with NIS?" -->
+<!--# set var="date" value="February 26, 2006" -->
+
+<!--# include file="include/top.html" -->
+
+If you’re trying to authenticate against NIS from Apache using mod\_auth\_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports < 1024. If you check your NIS server logs, you’ll find request authentication errors.
+
+If the server you’re running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isn’t much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add:
+
+	<client IP address>:*:shadow.byname:none
+
+Then restart ypserv et all. In Debian:
+
+	/etc/init.d/nis restart
+
+If your client machine does have untrusted users, there isn’t a nice solution, as far as I know.
+
+<!--# include file="include/bottom.html" -->
diff --git a/markdown/index.md b/markdown/index.md
index 94a7c6b..6d2665b 100644
--- a/markdown/index.md
+++ b/markdown/index.md
@@ -37,9 +37,10 @@
 1. 2010-Mar-26: [Fun with map visualizations](2010-03-26-fun-with-map-visualizations.html)
 1. 2010-Mar-09: [Karaoke project](2010-03-09-karaoke-project.html)
 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
-1. 2009-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html)
 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
+1. 2006-Feb-26: [Why isn’t mod\_auth\_pam working with NIS?](2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html)
+1. 2006-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html)
 1. 2006-Feb-13: [Is sleep(3) effected by time changes?](2006-02-13-is-sleep-effected-by-time-changes.html)
 1. 2006-Feb-09: [Convert all tables to InnoDB](2006-02-09-convert-all-tables-to-innodb.html)
 1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)
