Re: NIS password hashes fails from Redhat/Mandriva Linux

To: debian-security@lists.debian.org
Subject: Re: NIS password hashes fails from Redhat/Mandriva Linux
From: Mike Mestnik <cheako@mikemestnik.net>
Date: Thu, 12 Jan 2012 18:58:49 -0600
Message-id: <4F0F81C9.6090405@mikemestnik.net>
In-reply-to: <CA+_aNwit8F_zwtimbQygwAxKW65z8=Ur-uzF11enw6hQwjhitw@mail.gmail.com>
References: <CA+_aNwit8F_zwtimbQygwAxKW65z8=Ur-uzF11enw6hQwjhitw@mail.gmail.com>

On 01/12/12 17:32, Bichoy Waguih wrote:
> Hello Debian World,
>
> I have a small problem with Debian NIS authentication. Mainly, I have NIS
> server running on a Mandriva Linux machine and I want to configure a
> Debian
> machine to be a client for this NIS server.
>
> The Debian client receives the 'passwd' table correctly and I am able
> to check
> it with the 'ypcat' command. However, users can not login with their
> passwords
> at all (I made sure that I have the correct +:::: records added to the
> end of
> /etc/passwd, /etc/shadow and /etc/group).
>
> Tracking down the problem, I tried to create a user on the Debian
> machine and
> its /etc/shadow record to the NIS server. The user was able to login
> correctly.
>
> I believe there are two problem with this mixing:
> 1 - Debian password hashing/shadowing algorithm is different from the
> one used
>     by the NIS server on the old Mandriva server.
The hashing is well defined for most systems, take a look at the
hashes.  You can tell a lot about a hash by it's size, if it's less then
10 bytes you should have every one change there password!  After that
the first few bytes should identify what type of hash it is, knowing
that you can cheek compatibility.  You should consider forcing Mandriva
to make use of new hashing technologies, as this could be a security threat.

man crypt; # This should explain what the different options are.

Taken from Debian.
Format:
$id$salt$encrypted
              ID  | Method
              ---------------------------------------------------------
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                   | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)

Let us know more about your hashes for further help!  5 (IMHO) is
becoming less and less secure as processor technologies increase.

> 2 - The normal user UID range for Debian is >= 1000, where the old
> Mandriva
>     server uses >= 500.
>
One GOOD idea when using NIS/LDAP/ect is to NOT make use of default UID
GID ranges for your NIS.

65000-65533: is marked as Reserved.
I'm not sure if that means these are here for you to use or if that
means that these are here for Debian to make use of later.

In any case map your NIS/LDAP accounts such that they don't intrerfere
with any local created accounts, I.E 500++ and 1000++.  Instead start
your allocation at 21000 or 31000 as the 1000-59999 is allocated in
Debian to adduser...  You can tell adduser not to use anything above
20000.  To make things simpler on your self you can just add 20k to your
existing NIS accounts.

This will make sure adduser still functions as it should every where.

> Unfortunately, I need to find a work around to adjust Debian password
> coding
> and acceptable normal user UID range so that it can work with the old
> Mandriva
> Server as I am not allowed to proceed with server OS replacement at
> the current
> time.
>
> I highly appreciate your support and suggestions.
>
> -Bichoy
>
>
>

Reply to:

References:
- NIS password hashes fails from Redhat/Mandriva Linux
  - From: Bichoy Waguih <bichoy@mems-vision.com>

Prev by Date: Re: Default valid shells and home dir permissions
Next by Date: Re: NIS password hashes fails from Redhat/Mandriva Linux
Previous by thread: NIS password hashes fails from Redhat/Mandriva Linux
Next by thread: Re: NIS password hashes fails from Redhat/Mandriva Linux
Index(es):
- Date
- Thread