ohnielse@ltf.dth.dk (Ole Holm Nielsen) (05/07/90)
Since the topic of the SunOS 4.0 shadow password file crops up frequently
these days (e.g., v9n140), I would like to pass on a manual procedure for
installing passwd.adjunct and group.adjunct "shadow" files. The procedure
was developed by Jason Heirtzler of Boston University, and I added a
comment or two (I hope that's OK with you, Jason). Also, William LeFebvre
contributed. Here it is:
[[Ed's Note: The text of this message from jdh@bu-pub.bu.edu has been
removed - see previous message for updated text direct from the author.
I have retained this mesage and the extra comments, though. -bdg]]
| From: phil@pex.eecs.nwu.edu (William LeFebvre)
This is really nit-picky, but I was curious why all the other make rules
got away without the quotes. Turns out that the syntax error is really in
the c2secure rule. The "make" like of that rule should read:
make 'NOPUSH=$(NOPUSH)' passwd.adjunct.time group.adjunct.time;\
What's missing is the single quotes around the NOPUSH=...
Final note: The /bin/lockscreen does not verify passwords correctly when
using the C2 security option. You have to order a fixed binary from Sun.
Ole H. Nielsen
Laboratory of Applied Physics, Building 307
Technical University of Denmark, DK-2800 Lyngby, Denmark
E-mail: ohnielse@ltf.dth.dk
Telephone: (+45) 42 88 24 88 ext. 2317
Telefax: (+45) 45 93 23 99jdh@bu-pub.bu.edu (05/07/90)
Here's an update on what I've written on installing sun's C2 security
shadow password file. Thanks to William LeFebvre and Ole Holm Nielsen for
their comments.
Could this be placed in the archives?
[[Ed's Note: Placed in archives as requested. -bdg]]
FTP: Hostname : titan.rice.edu (128.42.1.30)
Directory: sun-spots
Filename : shadow.howto
Archive Server Address: archive-server@rice.edu
Archive Server Command: send sun-spots shadow.howto
Jason Heirtzler (617) 353-2780 jdh@bu-pub.bu.edu
Information Technology Boston University ..!bu.edu!bu-pub!jdh
---- 8< Cut Here >8 ------
HOW TO SET UP A "LOOK ASIDE" PASSWORD FILE UNDER SUNOS 4.0
Make a backup copy of /etc/{passwd,group}
If you haven't already selected the "C2 security software" option from
suninstall when you installed your machine, you will need to do so. This
I haven't verified myself, but people who didn't select it said they were
missing some files.
If you have sun source, create the directory /etc/security and protect it
mode 711. You should modify rpc.yppasswdd and change it to force the
passwd.adjunct file to be created mode 600; the way it comes from sun it
will create the file 644 (obviously a bad thing)
If you don't have sun source, and you don't mind installing binaries that
have been built by someone else, anon FTP to bu.edu (128.197.2.6) and pick
up the file binary/security/rpc.yppasswdd
Otherwise, create the directory /etc/security mode 700. This will cause
the function issecure(3) to always return false for users other than root,
but I haven't seen any adverse affects (yet.) Neither have I tested it
much, though. The reason that all of this is needed is that the issecure
looks like
#define PASSWD_ADJ "/etc/security/passwd.adjunct"
issecure() {
return(( access(PASSWD_ADJ, F_OK) == 0);
}
ie. if /etc/security isn't readable, then return "secure" !
bu-foo# ls -lga /etc/security
total 24
drwx--s--x 2 root wheel 512 Mar 27 15:29 ./
drwxr-sr-x 6 root wheel 3584 Mar 27 04:46 ../
-rw------- 1 root wheel 62 Feb 27 13:00 group.adjunct
-rw------- 1 root wheel 10193 Mar 27 15:28 passwd.adjunct
Each entry from /etc/passwd has the encrypted password text commented out
and replaced with the magic token "##user" (the passwd routines now know
how to handle this new format)
jdh:##jdh:3000:4940:Jason Heirtzler,x2780:/usr1/it/jdh:/bin/csh
There is a entry in /etc/security/passwd.adjunct that contains the actual
encrypted text
jdh:aZw5eQq5n0o3k:::::
Make sure "rpc.pwdauthd" starts from rc.local on both the yp master AND
the yp clients (it starts right after rpc.lockd on our machine)
On the YP client, the passwd file ends as it usually does -- with the
string "+::0:0:::". The client also has it's own passwd.adjunct file (in
it's own /etc/security dir mode 711)
Ours looks like this
root:GmXib0plXHJiY:::::
nobody:*:::::
daemon:*:::::
sys:*:::::
bin:*:::::
uucp:*:::::
news:*:::::
ingres:*:::::
sync::::::
sysdiag:*:::::
+::0:0:::
The group file mirrors the way the passwd file is setup (here the magic
token is different "#$user").
seven:#$seven:7:jdh,budd
and each entry in group.adjunct looks like this (there is only colon per
line.)
seven:*
Some SunOS 3 programs had to be recompiled to work correctly (anything
that uses the getpw???() stuff?), although nothing we built under 4.0 had
problems after we made the switch.
passwd.adjunct & group.adjunct are YP maps. There is one minor syntax
error in /var/yp/Makefile -- a missing single quote in the c2secure rule.
It should be changed to read
make 'NOPUSH=$(NOPUSH)' passwd.adjunct.time group.adjunct.time;\
Good luck!
Jason Heirtzler
Information Technology
Boston University