[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


Hello everyone,

I want to make this e-mail a bit different from the usual
I-need-help-to-solve-a-problem message; first I'll describe a general
problem and how to solve it with pam, and then I'll move to explain why
this doesn't work with the current pam modules.

Description of the problem

I have a system made of a LAN of debian linux boxes, one of them is a NIS
server and the rest are of course NIS clients, most of the users are
managed by NIS but some are not like root and the system users
(mail,bin,man,etc.).  The NIS server uses the stable potato release and the
clients the testing woody.

I want to use the password aging ability of shadow and force a good
password selection by the users, and I don't want to teach the users about
a new command to change their passwords (yppassword).  The first requisite
is easy since NIS supports shadow passwords, for the second and third I
have to use pam and passwd.

Theoretical solution, real difficulties

To configure passwd to change NIS and local passwords, and make sure that
the new passwords are "good ones" the file to edit is /etc/pam.d/passwd and
within this the module-type password; the pam module to check the quality
of the new passwords is pam_cracklib, and the pam modules to make the
actual change of the passwords are: pam_unix (the one included in the pam
distribution) and pam_unix2 from Thorsten Kukuk; there is a third option:
pam_pwdb, but this one has been dropped in debian woody and I can't find
the source code anywhere so I couldn't try this one.

Let's see how to do it with each of these modules:


This module includes support to change NIS passwords, for this I have to
use the option nis in the module-type password, like in the following

password   required   pam_unix.so obscure min=4 max=8 md5 nis

If this is the only line in the /etc/pam.d/passwd file, every time a user
issues a passwd command to change her password the pam_unix module will try
to change it in the NIS server, if the user is not managed by NIS the
module will return an error (or something worse, see below) and finish

I want to manage local accounts too so I stack another entry of the
pam_unix module:

password   sufficient   pam_unix.so obscure min=4 max=8 md5 nis
password   required   pam_unix.so obscure min=4 max=8 md5 use_first_pass

In this case the first entry tries to change the password in the NIS
server, if it succeeds everything is all right and the second entry is not
reached; if the first entry returns with error, hopefully because the user
is not a "NIS user" then the second entry takes control, and this one tries
to change the password in the local /etc/passwd and /etc/shadow files, the
use_first_pass option is there so that the user is not prompted again for
her old and new passwords.

Finally to check the strength of the new passwords chosen by the users the
pam_cracklib module can be stacked too:

password   required	pam_cracklib.so retry=3 retry=3 minlen=9 difok=3
password   sufficient   pam_unix.so obscure min=4 max=8 md5 nis use_authtok
password   required     pam_unix.so obscure min=4 max=8 md5 use_first_pass


Unfortunately pam_unix has some serious problems changing nis passwords
that renders it useless for this task:

-When root wants to change the password of a "NIS user" from a NIS client,
 he is asked for the root password in the NIS server, and then for the new
 password for the user.  The problem is that the root password just asked
 is send in clear text over the network and anyone can sniff it; the
 yppasswd command has this same problem but not the module pam_unix2 (see
 bellow).  In my opinion is not the root password but the old user password
 that should be asked for.

-When root wants to change her or any other user password pam_unix doesn't
 check whether this user is managed by NIS or is a local user, it simply
 tries to change the password in the NIS server; with this behaviour we can
 end up with the following situation: If we have a user that is local but
 exists in both the NIS server and NIS client, and we try to change the
 password of that user in the NIS client we will find out later to our
 surprise that we changed the password of the local user in the NIS server
 and not in the client.  This may sound like a riddle so I will give an
 example, let's suppose that the root account is local in every system and
 I try to change the root password in one of the NIS clients, this account
 exists in the NIS server too, so because pam_unix doesn't check whether
 root is a local or NIS account but tries to change the password in the NIS
 server we end up with a new password for the root account in the NIS
 server and not in the client as was intended.  The command yppasswd
 doesn't have this problem and checks with the NIS server to make sure that
 the password that it's about to change belongs to a NIS managed account.


This module from Thorsten Kukuk improves the NIS support for changing
passwords compared to the standard pam_unix module although has a smaller
number of options than the former.  Pam_unix2 doesn't need a specific
option to change the nis passwords, it's "clever" enough to find out
whether the account it's dealing with is local or NIS.  In this case the
configuration of the file /etc/pam.d/passwd is simpler:

password   required	pam_cracklib.so retry=3 retry=3 minlen=9 difok=3
password   required	pam_unix2 md5 use_authok

In the first entry pam_cracklib checks the quality of the new password and
in the second the correct password is changed be it local or NIS.  With
pam_unix2 when the root user in a NIS client wants to change the NIS
password of a normal user, he is not asked for the root password of the NIS
server but for the old password of the user, the philosophy here is that
it's enough to know the user password to be able to change it.


This module is promising but unfortunately is not ready enough for general
use in the situation showed here, the problems found were:

-The debug option described in the documentation doesn't work and causes an
 error through syslog:

 petrel PAM-unix2[2880]: password: Unknown option: debug

-When a password is changed successfully there is no record through syslog.

-The option use_authok described in the documentation and essential for
 this situation is not supported giving the following error through syslog:

 petrel PAM-unix2[3501]: password: Unknown option: use_authok

-The module doesn't work at all when it is stacked with pam_cracklib, and
 again this is essential for the described situation.


In this stage of development this two modules shown here are not useful to
solve the situation described initially, I hope they will evolve and the
problems described will be solve soon so I and many others can have a
better integrated NIS, PAM and passwd system.

As I said before I couldn't try pam_pwdb, maybe everything works better
with this one.

Comments, suggestion and ideas welcome.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []