Quote:
Originally Posted by
Scrutinizer
Just to add to the discussion
- AFAIK, Solaris 8 only supports password.adjunct, not shadow in nis
- password.adjunct is extremely weak security and only protects against users if they cannot become root on a client that can approach the NIS server
- passwd.adjunct works with both Solaris 8 and Linux clients.
- Solaris 8, when updated to the very latest levels supports TLS/LDAP as long as the LDAP server uses SHA1 certificates (TLS 1.0). This is not an easy feat, but it is possible
- AFAIK NIS will only work with DES56
- I do not think password aging is possible on Solaris in combination with NIS, since it does not support shadow over NIS.
- Solaris 8, even with the latest patches remains of course an insecure and outdated platform.
- On Linux "nis" does not need to be / cannot be specified in system-auth / password-auth in pam. This is handled by pam_unix.so, since authentication is client side.
Nice sharing. Thank you for this. You pretty much help me concluding the whole thing.
I am less concerned with security things since there is no choice with those Solaris 8 clients which are out of maintenance. I'm just trying to find a perfect way to complete whole tasks, if not, I can live with that. I did far more than my boss wanted me to do. He should be glad from what I've done.
Based on your sharing, I might stick with using shadow for both platforms and it's compromised for pw hidden to ypcat and password aging though. But I can make a NIS user login to all hosts in the domain at least.
I might think about if it's possible to write a password aging checker for Solaris clients once I decide to enable NIS password aging at the next step.
Anyway, thank you all.