Results 1 to 5 of 5

Thread: NIS authentication issues

  1. #1
    wedsall NNTP User

    Default NIS authentication issues

    Hello,
    I've recently set up a suse 10.3 machine with ypserv to replace an old Solaris NIS server which was dieing.
    All clients can bind to this new nis server, however many redhat and Irix machines are unable to authenticate. All nodes can bind, and I can 'su' to any user. However I cannot log in via ssh.

    Please help. I've tried many solutions, many modifications to nsswitch.conf.

    Will

  2. #2
    Chris Cox NNTP User

    Default Re: NIS authentication issues

    On Mon, 2008-06-09 at 15:06 +0000, wedsall wrote:
    > Hello,
    > I've recently set up a suse 10.3 machine with ypserv to replace an old
    > Solaris NIS server which was dieing.
    > All clients can bind to this new nis server, however many redhat and
    > Irix machines are unable to authenticate. All nodes can bind, and I can
    > 'su' to any user. However I cannot log in via ssh.
    >
    > Please help. I've tried many solutions, many modifications to
    > nsswitch.conf.


    What hash are you using inside of NIS for the passwords?



  3. #3
    wedsall NNTP User

    Default Re: NIS authentication issues

    Chris,
    Thanks for your reply.

    I have to admit i'm not sure how to properly answer your question.

    An example of one of my passwords, one starts with $2a

    My nis server's pam passwd file contains the following:
    password requisite pam_pwcheck.so nullok cracklib
    password required pam_unix2.so use_authtok nullok

    My redhat nis client pam passwd file contains the following:
    password required /lib/security/pam_cracklib.so retry=3 type=
    password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow nis
    password required /lib/security/pam_deny.so

  4. #4
    Chris Cox NNTP User

    Default Re: NIS authentication issues

    On Mon, 2008-06-09 at 16:56 +0000, wedsall wrote:
    > Chris,
    > Thanks for your reply.
    >
    > I have to admit i'm not sure how to properly answer your question.
    >
    > An example of one of my passwords, one starts with $2a


    I won't swear to this, but it's likely the problem. That means
    your password hashes are stored in blowfish format.

    Try editing your /etc/default/passwd file and changing (or adding)
    CRYPT_YP=des or if you don't mind some loss of protability (in
    favor of better security) CRYPT_YP=md5. Actually, you might
    want to use CRYPT=des if this is the NIS server... that way
    the accounts created locally have a DES hashed password
    and will be exported that way when the NIS maps are created
    and pushed (on my SLES 10 based NIS server we have the following
    in our /etc/default/passwd):

    # This file contains some information for
    # the passwd (1) command and other tools
    # creating or modifying passwords.

    # Define default crypt hash
    # CRYPT={des,md5,blowfish}
    CRYPT=des

    # Use another crypt hash for group passwowrds.
    # This is used by gpasswd, fallback is the CRYPT entry.
    # GROUP_CRYPT=des


    # We can override the default for a special service
    # by appending the service name (FILES, YP, NISPLUS, LDAP)

    # for local files, use a more secure hash. We
    # don't need to be portable here:
    CRYPT_FILES=des
    # sometimes we need to specify special options for
    # a hash (variable is prepended by the name of the
    # crypt hash).
    BLOWFISH_CRYPT_FILES=10

    # For NIS, we should always use DES:
    CRYPT_YP=des


    Then create a new NIS user with a password and see if
    things work better at least for that user.

    There's probably a way to get the RH client to do blowfish.
    The only thing guaranteed to work is DES, but it's easy
    to password crack (especially since they're all exposed
    via NIS). MD5 is better and should work across Linux hosts, but
    some Unix's especially older ones will only support DES.



    >
    > My nis server's pam passwd file contains the following:
    > password requisite pam_pwcheck.so nullok cracklib
    > password required pam_unix2.so use_authtok nullok
    >
    > My redhat nis client pam passwd file contains the following:
    > password required /lib/security/pam_cracklib.so retry=3 type=
    > password sufficient /lib/security/pam_unix.so nullok use_authtok
    > md5 shadow nis
    > password required /lib/security/pam_deny.so
    >
    >



  5. #5
    wedsall NNTP User

    Default Re: NIS authentication issues

    Chris,
    Thanks for your reply.

    This was exactly the problem. I had changed a few passwords manually from the command line on the NIS Server, which set them to blowfish. On the next push of maps, it had pushed those passwords in blowfish.

    Thank you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •