misc/firestuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Why isn’t mod_auth_pam working with NIS?

Browse Source
This commit is contained in:
Ian Gulliver
2019-04-21 17:29:08 +00:00
parent 71fe4fcb56
commit 3a8ce6d5c4
4 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html Normal file
View File

@@ -0,0 +1,20 @@
<!--# set var="title" value="Why isnt mod_auth_pam working with NIS?" -->
<!--# set var="date" value="February 26, 2006" -->
<!--# include file="include/top.html" -->
<p>If youre trying to authenticate against NIS from Apache using mod_auth_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports &lt; 1024. If you check your NIS server logs, youll find request authentication errors.</p>
<p>If the server youre running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isnt much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add:</p>
<pre><code>&lt;client IP address&gt;:*:shadow.byname:none
</code></pre>
<p>Then restart ypserv et all. In Debian:</p>
<pre><code>/etc/init.d/nis restart
</code></pre>
<p>If your client machine does have untrusted users, there isnt a nice solution, as far as I know.</p>
<!--# include file="include/bottom.html" -->

3
index.html
View File

@@ -38,9 +38,10 @@
<li>2010-Mar-26: <a href="2010-03-26-fun-with-map-visualizations.html">Fun with map visualizations</a></li> <li>2010-Mar-26: <a href="2010-03-26-fun-with-map-visualizations.html">Fun with map visualizations</a></li>
<li>2010-Mar-09: <a href="2010-03-09-karaoke-project.html">Karaoke project</a></li> <li>2010-Mar-09: <a href="2010-03-09-karaoke-project.html">Karaoke project</a></li>
<li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li> <li>2009-Sep-11: <a href="2009-09-11-confusing-bind-with-cnames.html">Confusing BIND with CNAMEs</a></li>
<li>2009-Feb-26: <a href="2006-02-26-sctp-part-1.html">SCTP Part #1</a></li>
<li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li> <li>2009-Feb-19: <a href="2019-02-19-the-odd-case-of-my-mugging.html">The odd case of my mugging</a></li>
<li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li> <li>2009-Feb-03: <a href="2009-02-03-5-packet-tcp-connection.html">5-packet TCP connection?</a></li>
<li>2006-Feb-26: <a href="2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html">Why isnt mod_auth_pam working with NIS?</a></li>
<li>2006-Feb-26: <a href="2006-02-26-sctp-part-1.html">SCTP Part #1</a></li>
<li>2006-Feb-13: <a href="2006-02-13-is-sleep-effected-by-time-changes.html">Is sleep(3) effected by time changes?</a></li> <li>2006-Feb-13: <a href="2006-02-13-is-sleep-effected-by-time-changes.html">Is sleep(3) effected by time changes?</a></li>
<li>2006-Feb-09: <a href="2006-02-09-convert-all-tables-to-innodb.html">Convert all tables to InnoDB</a></li> <li>2006-Feb-09: <a href="2006-02-09-convert-all-tables-to-innodb.html">Convert all tables to InnoDB</a></li>
<li>2006-Feb-09: <a href="2006-02-09-php-perl-ruby-exploit.html">PHP/PERL/Ruby exploit</a></li> <li>2006-Feb-09: <a href="2006-02-09-php-perl-ruby-exploit.html">PHP/PERL/Ruby exploit</a></li>

18
markdown/2006-02-26-why-isnt-mod_auth_pam-working-with-nis.md Normal file
View File

@@ -0,0 +1,18 @@
<!--# set var="title" value="Why isnt mod_auth_pam working with NIS?" -->
<!--# set var="date" value="February 26, 2006" -->
<!--# include file="include/top.html" -->
If youre trying to authenticate against NIS from Apache using mod\_auth\_pam, you have a problem. All (sane) Apache configurations run as a non-privileged user. All (sane) NIS servers deny requests to shadow.byname originating from ports < 1024. If you check your NIS server logs, youll find request authentication errors.
If the server youre running Apache on has no untrusted user processes (no shells, no Apache CGI uploading, etc.), you can disable port security for just that host on your NIS server. This isnt much of a security risk; you better be within the same network if you were relying on port security anyway, so host-based security is just as good (it still sucks). Just before the uncommented lines in your /etc/ypserv.conf on your NIS master, add:
<client IP address>:*:shadow.byname:none
Then restart ypserv et all. In Debian:
/etc/init.d/nis restart
If your client machine does have untrusted users, there isnt a nice solution, as far as I know.
<!--# include file="include/bottom.html" -->

3
markdown/index.md
View File

@@ -37,9 +37,10 @@
1. 2010-Mar-26: [Fun with map visualizations](2010-03-26-fun-with-map-visualizations.html) 1. 2010-Mar-26: [Fun with map visualizations](2010-03-26-fun-with-map-visualizations.html)
1. 2010-Mar-09: [Karaoke project](2010-03-09-karaoke-project.html) 1. 2010-Mar-09: [Karaoke project](2010-03-09-karaoke-project.html)
1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html) 1. 2009-Sep-11: [Confusing BIND with CNAMEs](2009-09-11-confusing-bind-with-cnames.html)
1. 2009-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html)
1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html) 1. 2009-Feb-19: [The odd case of my mugging](2019-02-19-the-odd-case-of-my-mugging.html)
1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html) 1. 2009-Feb-03: [5-packet TCP connection?](2009-02-03-5-packet-tcp-connection.html)
1. 2006-Feb-26: [Why isnt mod\_auth\_pam working with NIS?](2006-02-26-why-isnt-mod_auth_pam-working-with-nis.html)
1. 2006-Feb-26: [SCTP Part #1](2006-02-26-sctp-part-1.html)
1. 2006-Feb-13: [Is sleep(3) effected by time changes?](2006-02-13-is-sleep-effected-by-time-changes.html) 1. 2006-Feb-13: [Is sleep(3) effected by time changes?](2006-02-13-is-sleep-effected-by-time-changes.html)
1. 2006-Feb-09: [Convert all tables to InnoDB](2006-02-09-convert-all-tables-to-innodb.html) 1. 2006-Feb-09: [Convert all tables to InnoDB](2006-02-09-convert-all-tables-to-innodb.html)
1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html) 1. 2006-Feb-09: [PHP/PERL/Ruby exploit](2006-02-09-php-perl-ruby-exploit.html)