[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

need we support unshadowed passwords from the installer

it's 2023 and imho time to stop supporting unshadowed passwords
from the installer.

 https://salsa.debian.org/installer-team/user-setup/-/merge_requests/5

1) nis (and possibly conserver?) seem the primary drivers of an
    unshadowed passwd.=20

let me freely admit that, despite the advanced age of forty-two
(seventy-eight in UNIX years), that i know nothing about nis/yp
except that there was a big o'reilly book about it back when one
read the security book with the big safe on the front and the
scripting book with the big drill. i suspect it's basically a
halfway point between syncing /etc/passwd and /etc/hosts with
cron+rsh, and hiring someone on whom you can inflict ldap? so
please correct me wherever i'm woefully ignorant.

...but it appears that NIS can be made to work with shadowed
passwords (though without their benefits). this is from a
cursory reading of a FAQ last updated in 2003, so take it with a
grain of salt. the "linux network administrators [sic] guide"
seems to confirm this, and can also help you set up IPX or UUCP.

2) it seems that the unshadowing of passwords is only a
   "/sbin/shadowconfig off" away. somewhere down the long road, we
   appear to have lost shadowconfig.8, but this is what i gather
   from web searches.

   i'd almost suggest this might want to go into the "nis"
   package, avoiding "why do we even have that lever"
   situations, but i resolutely oppose feature creep for this MR.

3) if someone accidentally selects this during install, i can't
    think of any means by which they'd find out during the course of
    typical systems administration.

4) i don't have to answer this question in any other installer
    i've used in the past decade, i'm pretty certain.

5) arch appears to support NIS without any mention of shadowing?
    though admittedly that wiki page is "somewhat unfinished"[0]

6) fedora has recently discussed eliminating NIS support
    entirely. it's a done deal in RHEL.

i'm absolutely not suggesting we stop supporting NIS or other
programs which rely on unshadowed passwords. it's a big ol'
tent, and we have more than enough room for you to carry forth
the torch of Solaris 2. i just don't think this belongs in the
installer anymore.

--rigorously, nick

[0] https://wiki.archlinux.org/title/NIS

-- 
nick black -=- https://www.nick-black.com
to make an apple pie from scratch,
you need first invent a universe.

Attachment: signature.asc
Description: PGP signature

Reply to: