Re: Linux nis and shadow passwords, non Linux clients

1999-04-23 Thread Andreas Jellinghaus 
> Next problem: The net nis master runs slink. A slink client works after
> shadow has been configured and + added to /etc/shadow.
> A client runs partly potato, and does not work, i.e. it won't accept nis
> passwords. NIS itself appears to work, i.e. I can see the right owners of
> directories, the homedirs are right, etc. Any known incompatibilities
> between glibc2.1 and shadow nis?

glibc2.0 and nis: at least the expire field is not copied into the right
structure. so you always get "-1" when reading the shadow password fields.
this happends only when you are useing the compat mode. if you are useing
"shadow: files nis" it works ok.

if you don't need the extra features of shadow (expiry, password age etc.),
don't use it. many programs do not honor these fileds anyway (e.g. login.app).

andreas

Re: Linux nis and shadow passwords, non Linux clients

1999-04-22 Thread Jens B. Jorgensen 
Nils Rennebarth wrote:

> On Thu, Apr 22, 1999 at 10:01:53AM -0500, Jens B. Jorgensen wrote:
> > Hmmm, perhaps you'll have to generate your own intermediate passwd file to
> > generate the NIS maps. However, I would perhaps reconsider using shadow. 
> > Unless
> > you're only serving up some (not root, etc.) passwords from NIS and have 
> > set up
> > NIS to work this way there's no benefit to running shadow locally since NIS 
> > is
> > 100% insecure (ie. it'll give up password entries to anyone on your network 
> > who
> > asks).
> What I'm worrying about is that a remote cracker guesses a local password
> then logs in on our server and snatches the passwd file to crack the root
> account (not that root has a password that I expect someone to crack, but
> who knows..)
>
> The way it runs currenty, a remote user has to crack a local root account,
> to "ask" for the encrypted passwords.

>
> And yes, I do only serve user passwords > id 100 by NIS.

Understood. Actually, I do something similar: we use NIS behind the firewall 
but the
firewall machine itself is an NIS client. In our situation things were a little
backwards though because we had a Sun serving up the NIS maps and linux boxen as
clients. The sun supports shadow but shadow maps are only served through NIS+.
Unfortunately, NIS+ support is just now coming together in Linux. This is all
academic though...

So, whatcha need to do is customize your /var/yp/Makefile which builds the 
actual db
files. If you open up your /var/yp/Makefile you'll find something like (snipped 
from
my own file):

passwd.byname: $(PASSWD) $(YPDIR)/Makefile
   @echo "Updating [EMAIL PROTECTED]"
@$(UMASK); \
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
   print $$1"\t"$$0 }' $(PASSWD) | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
[EMAIL PROTECTED](NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@


passwd.byuid: $(PASSWD) $(YPDIR)/Makefile
@echo "Updating [EMAIL PROTECTED]"
@$(UMASK); \
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
   print $$3"\t"$$0 }' $(PASSWD) | $(DBLOAD) -i $(PASSWD) \
 -o $(YPMAPDIR)/$@ - $@
[EMAIL PROTECTED](NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@

All we need to do is to pull the password field out of /etc/shadow and join it
together with the rest of the data in /etc/passwd before putting it into the db 
file.
We can easily do this using the join command so we modify the the above to:

passwd.byname: $(PASSWD) $(SHADOW) $(YPDIR)/Makefile
   @echo "Updating [EMAIL PROTECTED]"
@$(UMASK); \
/usr/bin/join -t : -j 1 -o 1.1 2.2 1.3 1.4 1.5 1.6 1.7 $(PASSWD) 
$(SHADOW) |
\
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
   print $$1"\t"$$0 }' | $(DBLOAD) -i $(PASSWD) \
-o $(YPMAPDIR)/$@ - $@
[EMAIL PROTECTED](NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@


passwd.byuid: $(PASSWD) $(SHADOW) $(YPDIR)/Makefile
@echo "Updating [EMAIL PROTECTED]"
@$(UMASK); \
/usr/bin/join -t : -j 1 -o 1.1 2.2 1.3 1.4 1.5 1.6 1.7 $(PASSWD) 
$(SHADOW) |
\
$(AWK) -F: '!/^[-+#]/ { if ($$1 != "" && $$3 >= $(MINUID) ) \
   print $$3"\t"$$0 }' | $(DBLOAD) -i $(PASSWD) \
 -o $(YPMAPDIR)/$@ - $@
[EMAIL PROTECTED](NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@

I haven't tested the above (except for the join command itself) but I believe 
it'll
do just exactly right.

--
Jens B. Jorgensen
[EMAIL PROTECTED]

Re: Linux nis and shadow passwords, non Linux clients

1999-04-22 Thread Miquel van Smoorenburg 
In article <[EMAIL PROTECTED]>,
Jens B. Jorgensen <[EMAIL PROTECTED]> wrote:
>Hmmm, perhaps you'll have to generate your own intermediate passwd file to
>generate the NIS maps.

Ah yes, a possibility is to include the password in /etc/password, and
then filter that out again for shadow-capable hosts using /etc/ypserv.conf

> However, I would perhaps reconsider using shadow. Unless
>you're only serving up some (not root, etc.) passwords from NIS and have set up
>NIS to work this way there's no benefit to running shadow locally since NIS is
>100% insecure (ie. it'll give up password entries to anyone on your network who
>asks).

Not true. If set up correctly, it will only serve shadow maps to requests
originating from secure ports (eg < 1023), which means a root process.
Ofcourse that means you do have to trust all root users on your network.

But turning off shadow is certainly the easiest solution (shadowconfig off).
You can still have shadow-like security using /etc/ypserv.conf, a
feature unique to to the Linux NIS server.

Mike.
-- 
Indifference will certainly be the downfall of mankind, but who cares?

Re: Linux nis and shadow passwords, non Linux clients

1999-04-22 Thread Jens B. Jorgensen 
Hmmm, perhaps you'll have to generate your own intermediate passwd file to
generate the NIS maps. However, I would perhaps reconsider using shadow. Unless
you're only serving up some (not root, etc.) passwords from NIS and have set up
NIS to work this way there's no benefit to running shadow locally since NIS is
100% insecure (ie. it'll give up password entries to anyone on your network who
asks).

Nils Rennebarth wrote:

> Again following up on my own posts, sigh:
>
> On Thu, Apr 22, 1999 at 03:22:58PM +0200, Nils Rennebarth wrote:
> > Next problem: The net nis master runs slink. A slink client works after
> > shadow has been configured and + added to /etc/shadow.
> > A client runs partly potato, and does not work, i.e. it won't accept nis
> > passwords. NIS itself appears to work, i.e. I can see the right owners of
> > directories, the homedirs are right, etc. Any known incompatibilities
> > between glibc2.1 and shadow nis?
> Hrmm, deinstalling nis and installing it again worked. This is getting
> Windows like, except that reboots are not necessary.
>
> What should I do however for clients that do not have shadow passwords? Is
> there a way to give them a "made up" password file with entries from real
> passwd and shadow mixed? (security reasons aside)
>
> Nils
>
> --
> Plug-and-Play is really nice, unfortunately it only works 50% of the time.
> To be specific the "Plug" almost always works.--unknown source
>
>   
>Part 1.2Type: application/pgp-signature

--
Jens B. Jorgensen
[EMAIL PROTECTED]

Re: Linux nis and shadow passwords, non Linux clients

1999-04-22 Thread Nils Rennebarth 
Again following up on my own posts, sigh:

On Thu, Apr 22, 1999 at 03:22:58PM +0200, Nils Rennebarth wrote:
> Next problem: The net nis master runs slink. A slink client works after
> shadow has been configured and + added to /etc/shadow.
> A client runs partly potato, and does not work, i.e. it won't accept nis
> passwords. NIS itself appears to work, i.e. I can see the right owners of
> directories, the homedirs are right, etc. Any known incompatibilities
> between glibc2.1 and shadow nis?
Hrmm, deinstalling nis and installing it again worked. This is getting
Windows like, except that reboots are not necessary.

What should I do however for clients that do not have shadow passwords? Is
there a way to give them a "made up" password file with entries from real
passwd and shadow mixed? (security reasons aside)

Nils

--
Plug-and-Play is really nice, unfortunately it only works 50% of the time.
To be specific the "Plug" almost always works.--unknown source


pgp46YKJiRKiD.pgp
Description: PGP signature

Linux nis and shadow passwords, non Linux clients

1999-04-22 Thread Nils Rennebarth 
I recently switched our nis master server from AIX to linux.
There are still a number of AIX hosts that should be run as nis clients or
nis slaves.

How do non shadow password clients get the password entries?
How do I make it on AIX which doesn't have shadow passwords but a 
similar mechanism using /etc/security/passwd with a syntax linke this:

root:
password = mYfasd/89ßsx # this is not the right one of course
lastupdate = 829567557
flag =

nextuser:

Next problem: The net nis master runs slink. A slink client works after
shadow has been configured and + added to /etc/shadow.
A client runs partly potato, and does not work, i.e. it won't accept nis
passwords. NIS itself appears to work, i.e. I can see the right owners of
directories, the homedirs are right, etc. Any known incompatibilities
between glibc2.1 and shadow nis?


Nils

--
Plug-and-Play is really nice, unfortunately it only works 50% of the time.
To be specific the "Plug" almost always works.--unknown source


pgpXEJnRtee2r.pgp
Description: PGP signature