diff options
Diffstat (limited to 'share/man/man5')
| -rw-r--r-- | share/man/man5/link.5 | 13 | ||||
| -rw-r--r-- | share/man/man5/passwd.5 | 154 | ||||
| -rw-r--r-- | share/man/man5/skey.access.5 | 4 |
3 files changed, 121 insertions, 50 deletions
diff --git a/share/man/man5/link.5 b/share/man/man5/link.5 index dc2809d..86f1823 100644 --- a/share/man/man5/link.5 +++ b/share/man/man5/link.5 @@ -26,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $Id$ +.\" $Id: link.5,v 1.11 1997/02/22 13:26:03 peter Exp $ .\" .Dd October 23, 1993 .Dt LINK 5 @@ -126,9 +126,12 @@ and .Xr ld.so 1 are .Em LD_VERSION_SUN (3), -which is used by the SunOS 4.x releases, and +which is used by the +.Tn SunOS +4.x releases, and .Em LD_VERSION_BSD (8), -which is currently in use by FreeBSD since release 1.1. +which has been in use since +.Fx 1.1 . .It Fa d_un Refers to a .Em d_version @@ -482,7 +485,9 @@ was loaded by crt0. .It Fa crt_dzfd On SunOS systems, this field contains an open file descriptor to .Dq Pa /dev/zero -used to get demand paged zeroed pages. On FreeBSD systems it contains -1. +used to get demand paged zeroed pages. On +.Tn FreeBSD +systems it contains -1. .It Fa crt_ldfd Contains an open file descriptor that was used by crt0 to load .Nm ld.so . diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5 index db605da..1c906ee 100644 --- a/share/man/man5/passwd.5 +++ b/share/man/man5/passwd.5 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 -.\" $Id: passwd.5,v 1.14 1997/03/12 14:05:36 mpp Exp $ +.\" $Id: passwd.5,v 1.15 1997/03/14 02:37:27 mpp Exp $ .\" .Dd September 29, 1994 .Dt PASSWD 5 @@ -185,7 +185,9 @@ Check the specific shell documentation to determine how this is done with other shells. .Sh YP/NIS INTERACTION .Ss Enabling access to NIS passwd data -The system administrator can configure FreeBSD to use NIS/YP for +The system administrator can configure +.Tn FreeBSD +to use NIS/YP for its password information by adding special records to the .Pa /etc/master.passwd file. These entries should be added with @@ -209,7 +211,9 @@ with only a plus sign (`+') in the name field, such as this: .Ed The `+' will tell the .Xr getpwent 3 -routines in FreeBSD's standard C library to begin using the NIS passwd maps +routines in +.Tn FreeBSD Ns 's +standard C library to begin using the NIS passwd maps for lookups. .Pp Note that the entry shown above is known as a @@ -324,7 +328,8 @@ the NIS master server; once a host's access list has been set in it need not be modified again unless new netgroups are created. .Sh NOTES .Ss Shadow passwords through NIS -FreeBSD uses a shadow password scheme: users' encrypted passwords +.Tn FreeBSD +uses a shadow password scheme: users' encrypted passwords are stored only in .Pa /etc/master.passwd and @@ -334,12 +339,17 @@ to prevent users from running the encrypted passwords through password-guessing programs and gaining unauthorized access to other users' accounts. NIS does not support a standard means of password shadowing, which implies that placing your password data -into the NIS passwd maps totally defeats the security of FreeBSD's +into the NIS passwd maps totally defeats the security of +.Tn FreeBSD Ns 's password shadowing system. .Pp -FreeBSD provides a few special features to help get around this +.Tn FreeBSD +provides a few special features to help get around this problem. It is possible to implement password shadowing between -FreeBSD NIS clients and FreeBSD NIS servers. The +.Tn FreeBSD +NIS clients and +.Tn FreeBSD +NIS servers. The .Xr getpwent 3 routines will search for a .Pa master.passwd.byname @@ -347,12 +357,15 @@ and .Pa master.passwd.byuid maps which should contain the same data found in the .Pa /etc/master.passwd -file. If the maps exist, FreeBSD will attempt to use them for user +file. If the maps exist, +.Tn FreeBSD +will attempt to use them for user authentication instead of the standard .Pa passwd.byname and .Pa passwd.byuid -maps. FreeBSD's +maps. +.Tn FreeBSD Ns 's .Xr ypserv 8 will also check client requests to make sure they originate on a privileged port. Since only the superuser is allowed to bind to @@ -368,13 +381,17 @@ be allowed access to the standard maps which contain no password information. .Pp Note that this feature cannot be used in an environment with -non-FreeBSD systems. Note also that a truly determined user with +.No non- Ns Tn FreeBSD +systems. Note also that a truly determined user with unrestricted access to your network could still compromise the .Pa master.passwd maps. .Ss UID and GID remapping with NIS overrides -Unlike SunOS and other operating systems that use Sun's NIS code, -FreeBSD allows the user to override +Unlike +.Tn SunOS +and other operating systems that use Sun's NIS code, +.Tn FreeBSD +allows the user to override .Pa all of the fields in a user's NIS .Pa passwd @@ -400,7 +417,9 @@ using an NIS wildcard entry that looks like this: +:*:0:0::: .Ed -This often leads to new FreeBSD administrators choosing NIS entries for their +This often leads to new +.Tn FreeBSD +administrators choosing NIS entries for their .Pa master.passwd files that look like this: .Bd -literal -offset indent @@ -412,10 +431,12 @@ Or worse, this +::0:0:::::: .Ed -.Pa DO _NOT_ PUT ENTRIES LIKE THIS IN YOUR -.Nm master.passwd -.Pa FILE!! -The first tells FreeBSD to remap all passwords to `*' (which +.Sy DO _NOT_ PUT ENTRIES LIKE THIS IN YOUR +.Sy Pa master.passwd +.Sy FILE!! +The first tells +.Tn FreeBSD +to remap all passwords to `*' (which will prevent anybody from logging in) and to remap all UIDs and GIDs to 0 (which will make everybody appear to be the superuser). The second case just maps all UIDs and GIDs to 0, which means that @@ -424,9 +445,15 @@ second case just maps all UIDs and GIDs to 0, which means that .Ss Compatibility of NIS override evaluation When Sun originally added NIS support to their .Xr getpwent 3 -routines, they took into account the fact that the SunOS password +routines, they took into account the fact that the +.Tn SunOS +password .Pa /etc/passwd -file is in plain ASCII format. The SunOS documentation claims that +file is in plain +.Tn ASCII +format. The +.Tn SunOS +documentation claims that adding a '+' entry to the password file causes the contents of the NIS password database to be 'inserted' at the position in the file where the '+' entry appears. If, for example, the @@ -441,22 +468,33 @@ then the NIS password map would appear twice: once in the middle of the file and once at the end. (By using override entries instead of simple wildcards, other combinations could be achieved.) .Pp -By contrast, FreeBSD does not have a single ASCII password file: it +By contrast, +.Tn FreeBSD +does not have a single +.Tn ASCII +password file: it has a hashed password database. This database does not have an easily-defined beginning, middle or end, which makes it very hard -to design a scheme that is 100% compatible with SunOS. For example, +to design a scheme that is 100% compatible with +.Tn SunOS . +For example, the .Fn getpwnam and .Fn getpwuid -functions in FreeBSD are designed to do direct queries to the +functions in +.Tn FreeBSD +are designed to do direct queries to the hash database rather than a linear search. This approach is faster on systems where the password database is large. However, when using direct database queries, the system does not know or care about the order of the original password file, and therefore -it cannot easily apply the same override logic used by SunOS. +it cannot easily apply the same override logic used by +.Tn SunOS . .Pp -Instead, FreeBSD groups all the NIS override entries together +Instead, +.Tn FreeBSD +groups all the NIS override entries together and constructs a filter out of them. Each NIS password entry is compared against the override filter exactly once and treated accordingly: if the filter allows the entry through @@ -472,10 +510,16 @@ in the .Pa /etc/master.passwd file since doing otherwise would lead to unpredicable behavior. .Pp -The end result is that FreeBSD's provides a very close approximation -of SunOS's behavior while maintaining the database paradigm, though the +The end result is that +.Tn FreeBSD Ns 's +provides a very close approximation +of +.Tn SunOS Ns 's +behavior while maintaining the database paradigm, though the .Xr getpwent 3 -functions do behave somewhat differently that their SunOS counterparts. +functions do behave somewhat differently that their +.Tn SunOS +counterparts. The primary differences are: .Bl -bullet -offset indent .It @@ -487,12 +531,17 @@ affect where NIS password records will be mapped into the password space. .El .Pp -In %99 of all FreeBSD configurations, NIS client behavior will be -indistinguishable from that of SunOS or other similar systems. Even +In %99 of all +.Tn FreeBSD +configurations, NIS client behavior will be +indistinguishable from that of +.Tn SunOS +or other similar systems. Even so, users should be aware of these architectural differences. .Pp .Ss Using groups instead of netgroups for NIS overrides -FreeBSD offers the capability to do override matching based on +.Tn FreeBSD +offers the capability to do override matching based on user groups rather than netgroups. If, for example, an NIS entry is specified as: .Bd -literal -offset indent @@ -503,8 +552,10 @@ the system will first try to match users against a netgroup called `operator.' If an `operator' netgroup doesn't exist, the system will try to match users against the normal `operator' group instead. -.Ss Changes in behavior from older versions of FreeBSD -There have been several bug fixes and improvements in FreeBSD's +.Ss Changes in behavior from older versions of +.Tn FreeBSD +There have been several bug fixes and improvements in +.Tn FreeBSD Ns 's NIS/YP handling, some of which have caused changes in behavior. While the behavior changes are generally positive, it is important that users and system administrators be aware of them: @@ -524,31 +575,42 @@ now apply to all .Xr getpwent 3 functions. .It -Prior to FreeBSD 2.0.5, netgroup overrides did not work at -all, largely because FreeBSD did not have support for reading +Prior to +.Fx 2.0.5 , +netgroup overrides did not work at +all, largely because +.Tn FreeBSD +did not have support for reading netgroups through NIS. Again, this has been fixed, and -netgroups can be specified just as in SunOS and similar NIS-capable +netgroups can be specified just as in +.Tn SunOS +and similar NIS-capable systems. .It -FreeBSD now has NIS server capabilities and supports the use +.Tn FreeBSD +now has NIS server capabilities and supports the use of .Pa master.passwd NIS maps in addition to the standard Sixth Edition format .Pa passwd maps. This means that you can specify change, expiration and class -information through NIS, provided you use a FreeBSD system as +information through NIS, provided you use a +.Tn FreeBSD +system as the NIS server. .El .Sh FILES .Bl -tag -width /etc/master.passwd -compact .It Pa /etc/passwd -ASCII password file, with passwords removed +.Tn ASCII +password file, with passwords removed .It Pa /etc/pwd.db .Xr db 3 -format password database, with passwords removed .It Pa /etc/master.passwd -ASCII password file, with passwords intact +.Tn ASCII +password file, with passwords intact .It Pa /etc/spwd.db .Xr db 3 -format password database, with passwords intact @@ -571,11 +633,13 @@ The YP/NIS password database makes encrypted passwords visible to ordinary users, thus making password cracking easier unless you use shadow passwords with the .Pa master.passwd -maps and FreeBSD's +maps and +.Tn FreeBSD Ns 's .Xr ypserv 8 server. .Pp -Unless you're using FreeBSD's +Unless you're using +.Tn FreeBSD Ns 's .Xr ypserv 8 , which supports the use of .Pa master.passwd @@ -583,7 +647,9 @@ type maps, the YP/NIS password database will be in old-style (Sixth Edition) format, which means that site-wide values for user login class, password expiration date, and other fields present in the current format -will not be available when a FreeBSD system is used as a client with +will not be available when a +.Tn FreeBSD +system is used as a client with a standard NIS server. .Sh COMPATIBILITY The password file format has changed since @@ -611,8 +677,8 @@ file format appeared in The YP/NIS functionality is modeled after .Tn SunOS and first appeared in -.Tn FreeBSD -1.1. The override capability is new in +.Fx 1.1 +The override capability is new in .Fx 2.0 . The override capability was updated to properly support netgroups in diff --git a/share/man/man5/skey.access.5 b/share/man/man5/skey.access.5 index 009f866..710187b 100644 --- a/share/man/man5/skey.access.5 +++ b/share/man/man5/skey.access.5 @@ -1,9 +1,9 @@ .\" this is comment -.\" $Id$ +.\" $Id: skey.access.5,v 1.5 1997/02/22 13:26:07 peter Exp $ .\" .Dd April 30, 1994 .Dt SKEY.ACCESS 5 -.Os FreeBSD 1.2 +.Os FreeBSD .Sh NAME .Nm skey.access .Nd List of S/Key obligated host addresses |
