The topic of this posting already tells you that an old Unix guy tells stories about old techniques.
I'm a happy NIS (formerly YP) user since 30+ years. I started using it with SunOS 4.0, later using it with Solaris and with Linux since 1999.
In the past, a colleague wasn't happyly using NIS+ when he couldn't log in as root after a short time because of some well known bugs and wrong configs. NIS+ was also much slower than my NIS setup. I know organisations using NIS for more than 80.000 user accounts in 2024.
I know the security implications of NIS but I can live with them, because I manage all computers in the network that have access to the NIS maps. And NIS on Linux offers to use shadow maps, which are only accessible to the root account. My users are forced to use very long passwords.
Unfortunately NIS support for the PAM modules was removed in Debian in pam 1.4.0-13, which means Debian 12 (bookworm) is lacking NIS support in PAM, but otherwise it is still supported. This only affects changing the NIS password via passwd. You can still authenticate users and use other NIS maps.
But yppasswd is deprecated and you should not use it!
If you use yppasswd it may generate a new password hash by using the
old DES crypt algorithm, which is very weak and only uses the first 8
chars in your password. Do not use yppasswd any more!
yppasswd only detects DES, MD5, SHA256 and SHA512 hashes, but for me
and some colleagues it only creates weak DES hashes after a password
change. yescrypt hashes which are the default in Debian 12 are not
supported at all. The solution is to use the plain passwd program.
On the NIS master, you should setup your NIS configuration to use
/etc/shadow and /etc/passwd even if your other NIS maps are in
/var/yp/src or similar. Make sure to have these lines in your
/var/yp/Makefile:
PASSWD = /etc/passwd
SHADOW = /etc/shadow
Call make once, and it will generate the shadow and passwd map. You may want to set the variable MINUID which defines which entries are not put into the NIS maps.
On all NIS clients you still need the entries (for passwd, shadow, group,...) that point to the nis service. E.g.:
passwd: files nis systemd
group: files nis systemd
shadow: files nis
You can remove all occurences of "nis" in your /etc/pam.d/common-password file.
Then you can use the plain passwd program to change your password on
the NIS master. But this does not call make in /var/yp for updating
the NIS shadow map.
Let's use inotify(7) for that. First, create a small shell script
/usr/local/sbin/shadow-change:
#! /bin/sh
PATH=/usr/sbin:/usr/bin
# only watch the /etc/shadow file
if [ "$2" != "shadow" ]; then
exit 0
fi
cd /var/yp || exit 3
sleep 2
make
Then install the package incron.
# apt install incron
# echo root >> /etc/incron.allow
# incrontab -e
Add this line:
/etc IN_MOVED_TO /usr/local/sbin/shadow-change $@ $# $%
It's not possible to use IN_MODIFY or watch other events on /etc/shadow directly, because the passwd command creates a /etc/nshadow file, deletes /etc/shadow and then moves nshadow to shadow. inotify on a file does not work after the file was removed.
You can see the logs from incrond by using:
# journalctl _COMM=incrond
e.g.
Oct 01 12:21:56 kueppers incrond[6588]: starting service (version 0.5.12, built on Jan 27 2023 23:08:49)
Oct 01 13:43:55 kueppers incrond[6589]: table for user root created, loading
Oct 01 13:45:42 kueppers incrond[6589]: PATH (/etc) FILE (shadow) EVENT (IN_MOVED_TO)
Oct 01 13:45:42 kueppers incrond[6589]: (root) CMD ( /usr/local/sbin/shadow-change /etc shadow IN_MOVED_TO)
I've disabled the execution of yppasswd using dpkg-divert
# dpkg-divert --local --rename --divert /usr/bin/yppasswd-disable /usr/bin/yppasswd
chmod a-rwx /usr/bin/yppasswd-disable
Do not forget to limit the access to the shadow.byname map in
ypserv.conf and general access to NIS in ypserv.securenets.
I've also discovered the package pamtester, which is a nice package
for testing your pam configs.