From: Hobbs, Richard (hobbs@mongeese.co.uk)
Date: Thu Feb 27 2003 - 07:11:50 EST
Hello,
Following a lengthy, but productive conversation with Casper about
enabling MD5
passwd/shadow files on Solaris 9, we have decided that it would be
beneficial to
the members of SunManagers if i summarised our entire conversation for
those who
are interested to keep for the future. This conversation has also been
summarised here: http://unixforum.co.uk/index.php?act=ST&f=15&t=29
=======================================================================
Richard Hobbs:
--------------
Hello,
I have a NIS server set up and working perfectly on my network, but my
solaris
machine is using old-style passwords (maximum 8 chars). My NIS server
(being
debian linux) is using MD5 passwds (out of choice), so i'd like to
enable this
on Solaris 9, so it can successfully use NIS for authentication on my
LAN.
I originally had Solaris 8 on this machine, and i was told that MD5
passwords
didn't exist, so i put Solaris 9 on instead. I think Solaris 10 uses
MD5 by
default, but in Solaris 9 it needs enabling, whereas in Solaris 8 it
wasn't even
an option.
Does anyone know how i can enable it?
=======================================================================
Casper Dik:
-----------
required: Solaris 9 update 2 (or Solaris 9 + current patches).
use: automatic (Solaris 9u2 understands *BSD and Linux password hashes)
use as default: edit /etc/security/policy.conf
=======================================================================
Richard Hobbs:
--------------
Thanks for the info... but which patches specifically? I have Solaris 9
09/02
with no extra patches installed at the moment... but how do i find out
which
patches i need to install exactly??
Can i just download a "service pack" from somewhere?? (sorry to use
Micro$not
terminology).
=======================================================================
Casper Dik:
-----------
sunsolve.sun.com "Recommended &Security" patch bundle has everything,
NOTE 2: To get the complete Flexible Crypt feature, please install the
following patches:
113475-01 (or newer) libsecurity crypt
113476-01 (or newer) passwdutil.so.1
113480-01 (or newer) pam_unix Patch
113481-01 (or newer) nispasswdd
113482-01 (or newer) rpc.ypasswd
113483-01 (or newer) sbin/sulogin
112874-06 (or newer) libc patch
You can also register and download the maintenance update patch bundle
from
access1.sun.com
=======================================================================
Richard Hobbs:
--------------
I have another small problem... not only am i unable to download the
specific
patches you mentioned previously, i'm unable to install the main
Recommended &
Security Patch Cluster. For each and every package i receive:
Patch 112834-02 failed to install due to a failure produced by pkgadd.
and when i check the logfile to see what failed exactly, i see this:
This appears to be an attempt to install the same architecture and
version of a
package which is already installed. This installation will attempt to
overwrite
this package.
/root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall:
/root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall:
cannot open pkgadd: ERROR: checkinstall script did not complete
successfully
Dryrun complete.
No changes were made to the system.
so it seems that the entire contents of the update package are already
installed... surely this can't be right... i think i'm doing something
stupid,
but i can't work out what! lol
=======================================================================
Casper Dik:
-----------
Might be the standard checkinstall problem:
The solaris FAQ says:
5.59) Patch installation often fails with "checkinstall" errors.
When installing a patch, the Solaris 2.5+ patch installation procedure
will
execute the script "checkinstall" with uid nobody.
If any of the patch files or if any part of the path leading up to the
patch
directory cannot be read by nobody, an error similar to the following
will appear:
patchadd . # or ./installpatch .
Generating list of files to be patched...
Verifying sufficient filesystem capacity (exhaustive method) ...
Installing patch packages...
pkgadd: ERROR: checkinstall script did not complete successfully....
You can workaround this in two ways, one is to make sure that the user
"nobody"
can read all patch files and execute a "pwd" in the patch directory or
add an
account "install" to /etc/passwd:
install:x:0:1:installpatch braindamage:/:/bin/true
Installpatch and patchadd use "nobody" as a fallback if it cannot find
the
"install" user.
--- end of excerpt from the FAQ
The most recently posted version of the FAQ is available from:
http://www.science.uva.nl/pub/solaris/solaris2/
=======================================================================
Casper Dik:
--------------
>> You can also register and download the maintenance update patch
>> bundle from access1.sun.com
>
> Do i need this to enable MD5, or is it merely recommended?
It includes the above patches for those w/o support contract.
(So you can download the maintenance update and just install the
necessary
patches from it)
(the solregis command should take care of registering)
=======================================================================
Richard Hobbs:
--------------
> NOTE 2: To get the complete Flexible Crypt feature, please install the
> following patches:
Does this mean flexible in the way that i cn choose whether i want to
use MD5 or
not?
> (the solregis command should take care of registering)
why do i need to do this though?
=======================================================================
Casper Dik:
-----------
>> NOTE 2: To get the complete Flexible Crypt feature, please install the
>> following patches:
>
> Does this mean flexible in the way that i cn choose whether i want to
> use MD5 or not?
The implementation allows you to select a default hash algorithm
(default still
standard crypt). In all cases the implementation will look at the hash
to see
what algporithm to use; the supported algorithms are __unix__ and:
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
I believe that "1" is the md5 algorithm used by Linux; "2a" is the BSD
blowfish
based algorithm and "md5" is a Sun md5 variant.
You can also write your own crypt module and "plug it in" if you want
to.
Encrypted passwords using all algorithms can coexist as the used
algorithm is
encoded in the the crypt output string.
>> (the solregis command should take care of registering)
>
> why do i need to do this though?
To get login access to access1.sun.com/solarissolve which has the
maintenance
updates.
=======================================================================
Richard Hobbs:
--------------
Ah..... so when i install the patches from access1.sun.com, i will be
able to
change to md5... cool!
I tried to run the solregis command, but i'm currently unable to export
my
DISPLAY from home to work (cos i SSH into my gateway, and then SSH into
my
Solaris box, so the X-Tunelling gets broken). I'll run this command
when i get home.
What file contains the following stuff though? Should i just search
/etc/for
files containing "crypt_"??
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
=======================================================================
Casper Dik:
-----------
Patch 113475-02 has the crypt modules.
Patch 112874-09 (libc) has /etc/security/crypt.conf
Those two combined, I think, give the necessary client side support for
using
but not changing the passwords.
(And you can't use them for root because of statically linked
/sbin/sulogin)
113480-01 might be needed, but I think not.
=======================================================================
Richard Hobbs:
--------------
In that case, i shall register and then install patches 113475-02 and
112874-09.
Just to finally confirm... if i install these patches and configure, my
Solaris
box will recognise the MD5-encrypted passwords served by my NIS server,
but the
users won't be able to change their passwords from this machine... they
will
have to log into a different machine to do that... that's fine for what
i need.
> Correct; but you can just as well install all of the needed patches
> (all
> are part of MU2)
One other point is that i don't need to enhance the encryption on the
root
password, as it already allows passwords above 8 chars for the root
password.
Whether this uses advanced encryption, i'm not sure (although i doubt
it), but
the only reason for needing better encryption was to make the user
accounts
compatible with my NIS server, and as the root account isn't taken from
NIS,
this isn't a problem.
Thanks a lot for your help.
=======================================================================
The end of the story is that i think i'm gonna try to get hold on
Solaris 9
12/02 first, but if not, this will all come in very useful, so a *BIG*
thank you
to Casper for all his help with this.
-- Richard Hobbs hobbs@mongeese.co.uk http://mongeese.co.uk | http://fishsponge.co.uk "There's only one way of life, and that's your own" - The Levellers _____________________________________________________ Send all your jokes to jokes@fishsponge.co.uk !! To subscribe, email: jokes-subscribe@fishsponge.co.uk _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers Richard Sullivan Do not condemn the judgment of another because it differs from your own. You may both be wrong. -Dandemis Richard Sullivan Do not condemn the judgment of another because it differs from your own. You may both be wrong. -Dandemis _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:53 EDT