duncan@corp.telecom.co.nz (Duncan McEwan) (03/19/91)
I am attempting to setup the passwd.adjunct file support on SunOS 4.1
without the rest of the C2 security stuff. I have read articles by
William LeFebvre in the August and November 1990 issues of "Sun Observer",
which suggest that this is possible, but things aren't working
properly. This may be because we are also running NIS, which I don't
think William was.
I have created /etc/security/passwd.adjunct with the following entry for
myself:
duncan:<my encrypted passwd>:::::
My passwd entry looks like:
duncan:##duncan:38:5:Duncan McEwan:/rhome/traminer/duncan:/bin/csh
I have run the /var/yp/Makefile to update both the passwd and passwd.adjunct
targets, and have started /usr/etc/pwdauthd on the appropriate machines.
When I try logging on to the NIS master things work OK, but when I log on
to another machine (which incidently is a NIS secondary server -- I *have*
checked that the appropriate NIS maps are the same as on the master)
I get the message
No home directory specified in password file! Logging on with home=/
As an experiment, I tried creating myself a local password entry on the
secondary machine. When I tried logging on then, I got the message
pwdauth: bad passwd entry for duncan
Login incorrect
Does anyone out there have some idea as to what is going on here?
A couple more questions have arisen during the course of my experimenting
trying to get the above to work.
Firstly, when I started experimenting, I just created a passwd.adjunct file
with a single entry for myself. I was the only user with a password in the
NIS passwd.byname map of the form '##username'. Shortly after, I
started getting complaints from others saying they couldn't log on (they
were getting the message "passwd: Sorry not in adjunct file" :-(. I had
assumed that perhaps one of the reasons for having a users /etc/passwd file
entry start with "##" was so you could selectively turn on use of the adjunct
file for some people, but the above seems to indicate that this isn't true.
Could someone confirm/deny this?
Secondly, in William's August 1990 article, he mentions that NIS prevents
non-root users looking at NIS maps that have mode 600 in
/var/yp/<domainname> (obviously without some protection, sites running NIS
wouldn't gain anything from adjunct files -- though given the inherent security
problems with NIS, I'm not sure they gain anything anyway :-). I experimented
with this by making other maps (for eg, networks.byname) mode 600 but was
still able to ypcat them. When I try ypcat'ing passwd.adjunct.byname as a
non-root user I certainly get an error ("no such map in servers domain").
Was William right when he described when NIS prevents access to the adjunct
map (in which case I guess I did something wrong in my experiments) or does
the protection work some other way?
One final question -- how does the passwd.adjunct file stuff interact with
password ageing (I know that password ageing is broken when using NIS in
SunOS 4.1, but hopefully that will be fixed in 4.1.1, in which case we may
want to try that out too).
I will summarize any email replies I receive, to interested parties...
Thanks in advance to anyone that can help.
Duncan (duncan@corp.telecom.co.nz or, more frequently, duncan@comp.vuw.ac.nz)