diff options
author | sheldonh <sheldonh@FreeBSD.org> | 2000-03-02 14:54:02 +0000 |
---|---|---|
committer | sheldonh <sheldonh@FreeBSD.org> | 2000-03-02 14:54:02 +0000 |
commit | 244b8ead7d31895ea1d7cfb075f4f7b33df35b0f (patch) | |
tree | 2643b52af6138b0f24a698abf3673abbbf78fc7d /share/man/man5/passwd.5 | |
parent | b751643913f37cd82cb0231b0c05564aad5a23b4 (diff) | |
download | FreeBSD-src-244b8ead7d31895ea1d7cfb075f4f7b33df35b0f.zip FreeBSD-src-244b8ead7d31895ea1d7cfb075f4f7b33df35b0f.tar.gz |
Remove more single-space hard sentence breaks.
Diffstat (limited to 'share/man/man5/passwd.5')
-rw-r--r-- | share/man/man5/passwd.5 | 105 |
1 files changed, 70 insertions, 35 deletions
diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5 index 890f021..53f6b7b 100644 --- a/share/man/man5/passwd.5 +++ b/share/man/man5/passwd.5 @@ -190,7 +190,8 @@ The system administrator can configure to use NIS/YP for its password information by adding special records to the .Pa /etc/master.passwd -file. These entries should be added with +file. +These entries should be added with .Xr vipw 8 so that the changes can be properly merged with the hashed password databases and the @@ -220,10 +221,12 @@ Note that the entry shown above is known as a .Em wildcard entry, because it matches all users (the `+' without any other information matches everybody) and allows all NIS password data to be retrieved -unaltered. However, by +unaltered. +However, by specifying a username or netgroup next to the `+' in the NIS entry, the administrator can affect what data are extracted from the -NIS passwd maps and how it is interpreted. Here are a few example +NIS passwd maps and how it is interpreted. +Here are a few example records that illustrate this feature (note that you can have several NIS entries in a single .Pa master.passwd @@ -240,8 +243,10 @@ file): Specific usernames are listed explicitly while netgroups are signified by a preceding `@'. In the above example, users in the ``staff'' and ``permitted-users'' netgroups will have their password information -read from NIS and used unaltered. In other words, they will be allowed -normal access to the machine. Users ``ken'' and ``dennis,'' who have +read from NIS and used unaltered. +In other words, they will be allowed +normal access to the machine. +Users ``ken'' and ``dennis,'' who have been named explicitly rather than through a netgroup, will also have their password data read from NIS, _except_ that user ``ken'' will have his shell remapped to @@ -250,7 +255,8 @@ This means that value for his shell specified in the NIS password map will be overridden by the value specified in the special NIS entry in the local .Pa master.passwd -file. User ``ken'' may have been assigned the csh shell because his +file. +User ``ken'' may have been assigned the csh shell because his NIS password entry specified a different shell that may not be installed on the client machine for political or technical reasons. Meanwhile, users in the ``rejected-users'' netgroup are prevented @@ -261,12 +267,14 @@ User ``mitnick'' will be be ignored entirely because his entry is specified with a `-' instead of a `+'. A minus entry can be used to block out certain NIS password entries completely; users who's password data has been excluded in this way are not recognized by -the system at all. (Any overrides specified with minus entries are +the system at all. +(Any overrides specified with minus entries are also ignored since there is no point in processing override information for a user that the system isn't going to recognize in the first place.) In general, a minus entry is used to specifically exclude a user who might otherwise be granted access because he happens to be a -member of an authorized netgroup. For example, if ``mitnick'' is +member of an authorized netgroup. +For example, if ``mitnick'' is a member of the ``permitted-users'' netgroup and must, for whatever the reason, be permitted to remain in that netgroup (possibly to retain access to other machines within the domain), the administrator @@ -276,12 +284,14 @@ allowed access rather than generate a possibly complicated list of users who are allowed access and omit the rest. .Pp Note that the plus and minus entries are evaluated in order from -first to last with the first match taking precedence. This means +first to last with the first match taking precedence. +This means the system will only use the first entry that matches a particular user. If, for instance, we have a user ``foo'' who is a member of both the ``staff'' netgroup and the ``rejected-users'' netgroup, he will be admitted to the system because the above example lists the entry for ``staff'' -before the entry for ``rejected-users.'' If we reversed the order, +before the entry for ``rejected-users.'' +If we reversed the order, user ``foo'' would be flagged as a ``rejected-user'' instead and denied access. .Pp @@ -294,11 +304,13 @@ entries). In our example shown above, we do not have a wildcard entry at the end of the list; therefore, the system will not recognize anyone except ``ken,'' ``dennis,'' the ``staff'' netgroup and the ``permitted-users'' -netgroup as authorized users. The ``rejected-users'' netgroup will +netgroup as authorized users. +The ``rejected-users'' netgroup will be recognized but all members will have their shells remapped and therefore be denied access. All other NIS password records -will be ignored. The administrator may add a wildcard entry to the +will be ignored. +The administrator may add a wildcard entry to the end of the list such as: .Bd -literal -offset indent +:::::::::/usr/local/bin/go_away @@ -309,7 +321,8 @@ any of the other entries. .Pa /usr/local/bin/go_away can be a short shell script or program that prints a message telling the user that he is not allowed access -to the system. This technique is sometimes useful when it is +to the system. +This technique is sometimes useful when it is desirable to have the system be able to recognize all users in a particular NIS domain without necessarily granting them login access. See the above text on the shell field regarding security concerns when using @@ -318,7 +331,8 @@ a shell script as the login shell. The primary use of this .Pa override feature is to permit the administrator -to enforce access restrictions on NIS client systems. Users can be +to enforce access restrictions on NIS client systems. +Users can be granted access to one group of machines and denied access to other machines simply by adding or removing them from a particular netgroup. Since the netgroup database can also be accessed via NIS, this allows @@ -334,10 +348,12 @@ are stored only in .Pa /etc/master.passwd and .Pa /etc/spwd.db , -which are readable and writable only by the superuser. This is done +which are readable and writable only by the superuser. +This is done to prevent users from running the encrypted passwords through password-guessing programs and gaining unauthorized access to -other users' accounts. NIS does not support a standard means of +other users' accounts. +NIS does not support a standard means of password shadowing, which implies that placing your password data into the NIS passwd maps totally defeats the security of .Tn FreeBSD Ns 's @@ -345,11 +361,13 @@ password shadowing system. .Pp .Tn FreeBSD provides a few special features to help get around this -problem. It is possible to implement password shadowing between +problem. +It is possible to implement password shadowing between .Tn FreeBSD NIS clients and .Tn FreeBSD -NIS servers. The +NIS servers. +The .Xr getpwent 3 routines will search for a .Pa master.passwd.byname @@ -357,7 +375,8 @@ and .Pa master.passwd.byuid maps which should contain the same data found in the .Pa /etc/master.passwd -file. If the maps exist, +file. +If the maps exist, .Tn FreeBSD will attempt to use them for user authentication instead of the standard @@ -368,12 +387,14 @@ maps. .Tn FreeBSD Ns 's .Xr ypserv 8 will also check client requests to make sure they originate on a -privileged port. Since only the superuser is allowed to bind to +privileged port. +Since only the superuser is allowed to bind to a privileged port, the server can tell if the requesting user is the superuser; all requests from non-privileged users to access the .Pa master.passwd -maps will be refused. Since all user authentication programs run +maps will be refused. +Since all user authentication programs run with superuser privilege, they should have the required access to users' encrypted password data while normal users will only be allowed access to the standard @@ -382,7 +403,8 @@ maps which contain no password information. .Pp Note that this feature cannot be used in an environment with .No non- Ns Tn FreeBSD -systems. Note also that a truly determined user with +systems. +Note also that a truly determined user with unrestricted access to your network could still compromise the .Pa master.passwd maps. @@ -407,7 +429,8 @@ This entry will cause all users in the `foo-users' netgroup to have .Pa all of their password information overridden, including UIDs, -GIDs and passwords. The result is that all `foo-users' will be +GIDs and passwords. +The result is that all `foo-users' will be locked out of the system, since their passwords will be remapped to invalid values. .Pp @@ -451,21 +474,25 @@ password .Pa /etc/passwd file is in plain .Tn ASCII -format. The +format. +The .Tn SunOS documentation claims that adding a '+' entry to the password file causes the contents of the NIS password database to be 'inserted' at the position in -the file where the '+' entry appears. If, for example, the +the file where the '+' entry appears. +If, for example, the administrator places the +:::::: entry in the middle of .Pa /etc/passwd, then the entire contents of the NIS password map would appear as though it had been copied into the middle of the password -file. If the administrator places the +:::::: entry at both the +file. +If the administrator places the +:::::: entry at both the middle and the end of .Pa /etc/passwd , then the NIS password map would appear twice: once in the middle -of the file and once at the end. (By using override entries +of the file and once at the end. +(By using override entries instead of simple wildcards, other combinations could be achieved.) .Pp By contrast, @@ -473,7 +500,8 @@ By contrast, does not have a single .Tn ASCII password file: it -has a hashed password database. This database does not have an +has a hashed password database. +This database does not have an easily-defined beginning, middle or end, which makes it very hard to design a scheme that is 100% compatible with .Tn SunOS . @@ -485,8 +513,10 @@ and functions in .Tn FreeBSD are designed to do direct queries to the -hash database rather than a linear search. This approach is faster -on systems where the password database is large. However, when +hash database rather than a linear search. +This approach is faster +on systems where the password database is large. +However, when using direct database queries, the system does not know or care about the order of the original password file, and therefore it cannot easily apply the same override logic used by @@ -495,7 +525,8 @@ it cannot easily apply the same override logic used by Instead, .Tn FreeBSD groups all the NIS override entries together -and constructs a filter out of them. Each NIS password entry +and constructs a filter out of them. +Each NIS password entry is compared against the override filter exactly once and treated accordingly: if the filter allows the entry through unaltered, it's treated unaltered; if the filter calls for remapping @@ -536,13 +567,15 @@ In %99 of all configurations, NIS client behavior will be indistinguishable from that of .Tn SunOS -or other similar systems. Even +or other similar systems. +Even so, users should be aware of these architectural differences. .Pp .Ss Using groups instead of netgroups for NIS overrides .Tn FreeBSD offers the capability to do override matching based on -user groups rather than netgroups. If, for example, an NIS entry +user groups rather than netgroups. +If, for example, an NIS entry is specified as: .Bd -literal -offset indent +@operator::::::::: @@ -567,7 +600,8 @@ was possible for .Fn getpwuid to return a login name that .Fn getpwnam -would not recognize. This has been fixed: overrides specified +would not recognize. +This has been fixed: overrides specified in .Pa /etc/master.passwd now apply to all @@ -580,7 +614,8 @@ netgroup overrides did not work at all, largely because .Tn FreeBSD did not have support for reading -netgroups through NIS. Again, this has been fixed, and +netgroups through NIS. +Again, this has been fixed, and netgroups can be specified just as in .Tn SunOS and similar NIS-capable |