From 3a8ce6d5c4d420c1b372c706e2667610ec3d6133 Mon Sep 17 00:00:00 2001 From: Ian Gulliver Date: Sun, 21 Apr 2019 17:29:08 +0000 Subject: [PATCH] =?UTF-8?q?Why=20isn=E2=80=99t=20mod=5Fauth=5Fpam=20workin?= =?UTF-8?q?g=20with=20NIS=3F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...hy-isnt-mod_auth_pam-working-with-nis.html | 20 +++++++++++++++++++ index.html | 3 ++- ...-why-isnt-mod_auth_pam-working-with-nis.md | 18 +++++++++++++++++ markdown/index.md | 3 ++- 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html create mode 100644 markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md diff --git a/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html b/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html new file mode 100644 index 0000000..958501b --- /dev/null +++ b/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html @@ -0,0 +1,20 @@ + + + + + +

If you’re trying to authenticate against NIS from Apache using mod_auth_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports < 1024. If you check your NIS server logs, you’ll find request authentication errors.

+ +

If the server you’re running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isn’t much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add:

+ +
<client IP address>:*:shadow.byname:none
+
+ +

Then restart ypserv et all. In Debian:

+ +
/etc/init.d/nis restart
+
+ +

If your client machine does have untrusted users, there isn’t a nice solution, as far as I know.

+ + diff --git a/index.html b/index.html index 8e080db..5b33ea2 100644 --- a/index.html +++ b/index.html @@ -38,9 +38,10 @@
  • 2010-Mar-26: Fun with map visualizations
  • 2010-Mar-09: Karaoke project
  • 2009-Sep-11: Confusing BIND with CNAMEs
    • -
  • 2009-Feb-26: SCTP Part #1
  • 2009-Feb-19: The odd case of my mugging
  • 2009-Feb-03: 5-packet TCP connection?
    • +
  • 2006-Feb-26: Why isn’t mod_auth_pam working with NIS?
    • +
  • 2006-Feb-26: SCTP Part #1
  • 2006-Feb-13: Is sleep(3) effected by time changes?
  • 2006-Feb-09: Convert all tables to InnoDB
  • 2006-Feb-09: PHP/PERL/Ruby exploit
    • diff --git a/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md b/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md new file mode 100644 index 0000000..dd4557a --- /dev/null +++ b/markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md @@ -0,0 +1,18 @@ + + + + + +If you’re trying to authenticate against NIS from Apache using mod\_auth\_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports < 1024. If you check your NIS server logs, you’ll find request authentication errors. + +If the server you’re running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isn’t much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add: + + :*:shadow.byname:none + +Then restart ypserv et all. In Debian: + + /etc/init.d/nis restart + +If your client machine does have untrusted users, there isn’t a nice solution, as far as I know. + + diff --git a/markdown/index.md b/markdown/index.md index 94a7c6b..6d2665b 100644 --- a/markdown/index.md +++ b/markdown/index.md @@ -37,9 +37,10 @@ 1. 2010-Mar-26: [Fun with map visualizations](2010-03-26-fun-with-map-visualizations.html) 1. 2010-Mar-09: [Karaoke project](2010-03-09-karaoke-project.html) 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html) -1. 2009-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html) 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html) 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html) +1. 2006-Feb-26: [Why isn’t mod\_auth\_pam working with NIS?](2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html) +1. 2006-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html) 1. 2006-Feb-13: [Is sleep(3) effected by time changes?](2006-02-13-is-sleep-effected-by-time-changes.html) 1. 2006-Feb-09: [Convert all tables to InnoDB](2006-02-09-convert-all-tables-to-innodb.html) 1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)