2.5.3 NIS+ and the Trusted System
Security, by Chris Wong, Prentice Hall PTR; ISBN: 0130330620
Chances are if you are running
NIS+ it is because you have a need to run the systems in trusted-mode. NIS
is not supported on trusted systems, only NIS+. To run a combination of both
NIS+ and trusted-mode, first install and configure NIS+. After NIS+ is
configured, run the "tsconvert" command to switch to trusted system mode on
each server and client.
As a reminder, typically when running NIS+, the system users remain in the
/etc/passwd file and all other non-system users are kept in a NIS+ table.
The /etc/passwd file only contains a list of system users, such as root. The
hashed password can be displayed by any user with access to the /etc/passwd
file. Converting the system to trusted when running NIS+ will create the /tcb
hierarchy and remove the hashed password from the /etc/passwd file.
Remember: any time you trust the system or make trusted system changes,
logon to the root account while you still have one open.
By converting the system to trusted, we have protected the system users
hashed password from being readable by any user. This however, does not
protect the regular users hashed passwords found in the NIS+ table. See
Section 5.4.1: NIS+ and the password Table, for more details on this.
Once the system is converted, all the features and functionality that is
available with a trusted system is now available to all users.
The rpc.nisd process keeps the NIS+ table information synchronized across
the namespace. The information found in the /tcb hierarchy must also be
synchronized across the namespace. This is accomplished with the ttsyncd
Figure 2-5a demonstrates that the trusted system information for a user
named jsmith was modified. The authorized login days and times were added.
The timestamp on the user's trusted system file is 11:14. The information is
replicated on the other server, with a timestamp of 11:17. The ttsyncd
daemon is responsible for keeping trusted system information synchronized
across multiple systems.
The ttsyncd daemon is started by editing the /etc/rc.config.d/comsec file.
There is no flag in this file to set the time interval for synchronization.
The daemon should run and synchronize continuously, needing the "-i0"
option. Since no flag is currently available (November 2001) in the /etc/rc.config.d/comsec
file to set the interval, you may need to edit the /sbin/init.d/comsec file
to add the correct synchronization interval. Read the "man ttsyncd" page for
more details. The ttsyncd daemon should be run on every NIS+ server. It does
not run on NIS+ clients. The ttsyncd daemon keeps the UNIX passwords
After converting a NIS+ system to trusted-mode, the user will be prompted to
change their UNIX password upon their next logon.