drm@gaia.gcs.oz.au (David Moline) (01/04/91)
I just ran into a problem which I thought was interesting enough to tell
others about. But first a bit of background.
In the past there have benn no problems transferring passwd files around
between various flavours of Suns (I must admit I haven't tested this on a
386i) and Solbournes and various OS releases, it is simply a matter of
copying the old/global passwd file around and away everyone goes using
there old passwords. Although I don't use it, I guess this is why rdist
is used so much.
Anyway now with SunOS 4.1 the passwd command has options for aging and
expiring passwords (IMHO this is a great feature). However to do this the
extra information is stored next to the encrypted passwd making that field
about 5 characters longer. Machines running 4.1 and above can happily
handle this extra large field, but pre 4.1 machines, cannot handle the
extra length and will always fail login attempts (the extra chars work the
same way the * does to disable login access). I dont know how machines
using NIS/yellow pages will cope as I am not running that here. Here
follows two password entries one with the aging feature and one without.
The first will work on any Sun/Solbourne with any OS release, and the
second will only work with OS release 4.1 or greater (BTW the encrypted
passwd is passwd if you want to try this one out):
gcs:1pkuYe7oxCrQ2:300:300:Graphics Comp. Systems:/usr2/guest/gcs:/bin/csh
gcs:1pkuYe7oxCrQ2,3.6F:300:300:Graphics Comp. Systems:/usr2/guest/gcs:/bin/csh
^^^^
aging/expiry information
David Moline - Graphics Computer Systems
Email: drm@gaia.gcs.oz.auJim.Cottrell@durham.ac.uk (Technician) (01/07/91)
David Moline writes >extra information is stored next to the encrypted passwd making that field >about 5 characters longer. Machines running 4.1 and above can happily What David is not aware of, as he's not running NIS, is that it is also NIS incompatable, ie yppasswd will not recognise the modified encrypted passwd. From looking at the source of an earlier version of yppasswd, the only real changes that seem to be needed are the strcmp, making it strncmp so it does not attempt to include the ageing information, and then modifying the ageing information appended to the encrypted password field - so anyone with the source of the current version (4.1) prepared to hack up yppasswd to make it do what SUN intended, then a good idea can become a real option. Jim Cottrell, Software Technician.
henry@zoo.toronto.edu (Henry Spencer) (01/08/91)
In article <1043@brchh104.bnr.ca> drm@gaia.gcs.oz.au (David Moline) writes: >Anyway now with SunOS 4.1 the passwd command has options for aging and >expiring passwords (IMHO this is a great feature)... Actually it is a cretinous feature, unless they've considerably improved on past implementations of it. The idea of putting limits on password age is good, but springing "your password is too old, I insist that you change it *NOW*" on a user as a surprise is a devastating botch in user interface. The result tends to be passwords chosen in haste, i.e. poorly. For more commentary on this, see Grampp&Morris, "UNIX Operating System Security", Bell Labs Technical Journal, Oct 1984. It's amazing that the people at AT&T and Sun still do not seem to have read this well-known paper. If the Space Shuttle was the answer, | Henry Spencer at U of Toronto Zoology what was the question? | henry@zoo.toronto.edu utzoo!henry