Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!rice!sun-spots-request From: jdh@bu-pub.bu.edu Newsgroups: comp.sys.sun Subject: Re: Using the SunOS 4.0 shadow password file Keywords: SunOS Message-ID: <7460@brazos.Rice.edu> Date: 7 May 90 14:01:13 GMT Sender: root@rice.edu Organization: Sun-Spots Lines: 115 Approved: Sun-Spots@rice.edu X-Sun-Spots-Digest: Volume 9, Issue 154, message 1 Here's an update on what I've written on installing sun's C2 security shadow password file. Thanks to William LeFebvre and Ole Holm Nielsen for their comments. Could this be placed in the archives? [[Ed's Note: Placed in archives as requested. -bdg]] FTP: Hostname : titan.rice.edu (128.42.1.30) Directory: sun-spots Filename : shadow.howto Archive Server Address: archive-server@rice.edu Archive Server Command: send sun-spots shadow.howto Jason Heirtzler (617) 353-2780 jdh@bu-pub.bu.edu Information Technology Boston University ..!bu.edu!bu-pub!jdh ---- 8< Cut Here >8 ------ HOW TO SET UP A "LOOK ASIDE" PASSWORD FILE UNDER SUNOS 4.0 Make a backup copy of /etc/{passwd,group} If you haven't already selected the "C2 security software" option from suninstall when you installed your machine, you will need to do so. This I haven't verified myself, but people who didn't select it said they were missing some files. If you have sun source, create the directory /etc/security and protect it mode 711. You should modify rpc.yppasswdd and change it to force the passwd.adjunct file to be created mode 600; the way it comes from sun it will create the file 644 (obviously a bad thing) If you don't have sun source, and you don't mind installing binaries that have been built by someone else, anon FTP to bu.edu (128.197.2.6) and pick up the file binary/security/rpc.yppasswdd Otherwise, create the directory /etc/security mode 700. This will cause the function issecure(3) to always return false for users other than root, but I haven't seen any adverse affects (yet.) Neither have I tested it much, though. The reason that all of this is needed is that the issecure looks like #define PASSWD_ADJ "/etc/security/passwd.adjunct" issecure() { return(( access(PASSWD_ADJ, F_OK) == 0); } ie. if /etc/security isn't readable, then return "secure" ! bu-foo# ls -lga /etc/security total 24 drwx--s--x 2 root wheel 512 Mar 27 15:29 ./ drwxr-sr-x 6 root wheel 3584 Mar 27 04:46 ../ -rw------- 1 root wheel 62 Feb 27 13:00 group.adjunct -rw------- 1 root wheel 10193 Mar 27 15:28 passwd.adjunct Each entry from /etc/passwd has the encrypted password text commented out and replaced with the magic token "##user" (the passwd routines now know how to handle this new format) jdh:##jdh:3000:4940:Jason Heirtzler,x2780:/usr1/it/jdh:/bin/csh There is a entry in /etc/security/passwd.adjunct that contains the actual encrypted text jdh:aZw5eQq5n0o3k::::: Make sure "rpc.pwdauthd" starts from rc.local on both the yp master AND the yp clients (it starts right after rpc.lockd on our machine) On the YP client, the passwd file ends as it usually does -- with the string "+::0:0:::". The client also has it's own passwd.adjunct file (in it's own /etc/security dir mode 711) Ours looks like this root:GmXib0plXHJiY::::: nobody:*::::: daemon:*::::: sys:*::::: bin:*::::: uucp:*::::: news:*::::: ingres:*::::: sync:::::: sysdiag:*::::: +::0:0::: The group file mirrors the way the passwd file is setup (here the magic token is different "#$user"). seven:#$seven:7:jdh,budd and each entry in group.adjunct looks like this (there is only colon per line.) seven:* Some SunOS 3 programs had to be recompiled to work correctly (anything that uses the getpw???() stuff?), although nothing we built under 4.0 had problems after we made the switch. passwd.adjunct & group.adjunct are YP maps. There is one minor syntax error in /var/yp/Makefile -- a missing single quote in the c2secure rule. It should be changed to read make 'NOPUSH=$(NOPUSH)' passwd.adjunct.time group.adjunct.time;\ Good luck! Jason Heirtzler Information Technology Boston University