Password Strength and Aging checking w/NIS

Ted Beaton tbeaton at plansysit.com
Mon May 9 16:47:37 UTC 2005 

Jan Rekorajski wrote:
> On Fri, 22 Apr 2005, Ted Beaton wrote:
> 
> 
>>
>>Jan Rekorajski wrote:
>>
>>>On Fri, 22 Apr 2005, Ted Beaton wrote:
>>>
>>>
>>>
>>>>Does anyone know how to get NIS to use pam for password strength 
>>>>checking and password aging?  All I've been able to get it to do is use 
>>>>pam for authentication/login.
>>>
>>>
>>>There is a 'nis' option to pam_unix.so, so you can just use pam on
>>>clients as usual, just tell pam_unix in password section to do the
>>>change via NIS.
>>>
>>>Jan
>>
>>Are you talking about the following line in the /etc/pam.d/system-auth 
>>file?
>>
>><<password sufficient /lib/security/$ISA/pam_unix.so use_authtok md5 
>>shadow nis>>
>>
>>My testing has shown that all this does is tell the client machine to 
>>use the nis files on the nis server for authentication.
> 
> 
> Nope. I wrote this code, and all it does is change password via NIS.
> Authentication token retrieval and all that is done with nss_nis from glibc :)
> 
> 
>>When the user 
>>on the client machine runs yppasswd to change their password, pam never 
>>even gets involved.
> 
> 
> Don't use yppasswd, use normal passwd program. It will use YP call's
> (via PAM) to change the password if 'nis' option is present.
> 
> Jan
Sorry it took so long to get back to this.  I was pulled off on another 
project.  You were right though, not that that was any surprise to you 
;-).  I went back and did it again with a sniffer on it and it made the 
yp call.  I'm not sure why that was failing before.  I was also fooling 
around with pam_cracklib and password change requirements and maybe I 
was failing for other reasons. One thing I noted though was that nis 
only reads the first 8 characters of the password when authenticating. 
Is that something that can be set?  The only other issue left from above 
is the password aging.  Can that be done through pam?  Thanks for 
setting me straight.

All information contained in this email is confidential and may be used by the intended recipient only.

More information about the Pam-list mailing list