Managing NFS and NIS, 2nd Edition - Mike Eisler [144]
Some approach is required that allows users to gain superuser access to their own hosts, but not to servers. At the same time, the system administrator must be able to become root on any system at any time to perform day-to-day maintenance. To solve the second problem, a common superuser password can be managed by NIS. Add an entry to the NIS password maps that has a UID of 0, but login name that is something other than root. For example, you might use a login name of netroot. Make sure the /etc/nsswitch.conf file on each host lists nis on the passwd: entry:
passwd: files nis
Users are granted access to their own host via the root entry in the /etc/passwd file.
Instead of creating an additional root user, some sites use a modified version of su that consults a "personal" password file. The additional password file has one entry for each user that is allowed to become root, and each user has a unique root password.[2] With either system, users are able to manage their own systems but will not know the root passwords on any other hosts. The NIS-managed netroot password ensures that the system administration staff can still gain superuser access to every host.
Making NIS more secure
Aside from the caveats about trivial passwords, there are a few precautions that can be taken to make NIS more secure:
If you are trying to keep your NIS maps private to hide hostnames or usernames within your network, do not make any host that is on two or more networks an NIS server. Users on the external networks can forcibly bind to your NIS domain and dump the NIS maps from a server that is also performing routing duties. While the same trick may be performed if the NIS server is inside the router, it can be defeated by disabling IP packet forwarding on the router. Appendix A covers this material in more detail.
On the master NIS server, separate the server's password file and the NIS password file so that all users in the NIS password file do not automatically gain access to the NIS master server. A set of changes for building a distinct password file was presented in Section 4.2.6.
Periodically check for null passwords using the following awk script: #! /bin/sh
# ( cat /etc/shadow; ypcat passwd ) | awk -F':' '{if ($2 == "") print $1 ;}'
The subshell concatenates the local password file and the NIS passwd map; the awk script prints any username that does not have an entry in the password field of the password map.
Consider configuring the system so that it cannot be booted single-user without supplying the root password. On Solaris 8, this is the default behavior, and can be overridden by adding this entry to /etc/default/sulogin: PASSREQ=NO
When the system is booted in single-user mode, the single-user shell will not be started until the user supplies the root password.
Configure the system so that superuser can only log into the console, i.e., superuser cannot rlogin into the system. On Solaris 8, you do this by setting the CONSOLE variable in /etc/default/login: CONSOLE=/dev/console
On Sun systems, the boot PROM itself can be used to enforce security. To enforce PROM security, change the security-mode parameter in the PROM to full: # eeprom security-mode=full
No PROM commands can be entered without supplying the PROM password; when you change from security-mode=none to security-mode=full you will be prompted for