Page 1 of 1

NIS Password format

Posted: Wed Sep 20, 2017 7:54 am
by praetor242
I have an NIS server running on FreeBSD, and my IRIX machines bind to it just fine. I can ypcat and see my password map, but when I try and login, it doesn't work. I can successfully login to any of my other FreeBSD machines, just not my IRIX ones.

I also checked the order of the nsswitch.con file, and that's fine. Which leads me to believe it's a password format issue on IRIX. FreeBSD stores its passwords using SHA512. How can I change IRIX to use this format, or do I need to change it on my NIS server?

HALP!

Re: NIS Password format

Posted: Wed Sep 20, 2017 9:58 am
by praetor242
I just decided to change the password format to DES on the FreeBSD boxes. Easier, but still a pain in the ass.

Re: NIS Password format

Posted: Wed Sep 20, 2017 10:50 am
by Raion-Fox
DES is very insecure. Make sure you've a good firewall.

EDIT: You could replace NIS with OpenLDAP

Re: NIS Password format

Posted: Wed Sep 20, 2017 10:54 am
by praetor242
Yeah. I'm not totally thrilled with having DES hashes, but it's just in the inside of the network. Does IRIX support LDAP authentication?

Re: NIS Password format

Posted: Wed Sep 20, 2017 11:30 am
by Raion-Fox
You can have IRIX boxes run as LDAP clients yes.

Re: NIS Password format

Posted: Wed Sep 20, 2017 12:46 pm
by duck
My octane authenticates using LDAP, it's a bit quirky since I needed to run a local openldap server and use good ole' xdm login (clogin doesn't interface with PAM AFAIR) to get it to work.

I don't remember why I had to set up the replication, but now that I look at the config file again it might have been SSL related. (i.e. nss/pam-ldap on IRIX couldn't use SSL?)

Code: Select all

URI             ldap://localhost/
#URI            ldaps://pond.shangtai.net/


It's working great though.

Re: NIS Password format

Posted: Wed Sep 20, 2017 11:13 pm
by miod
praetor242 wrote:I just decided to change the password format to DES on the FreeBSD boxes. Easier, but still a pain in the ass.

That's the only way to get IRIX to grok your passwords anyway. And you need to set UNSECURE in /var/yp/`domainname`Makefile as well.

Now I'd suggest defining a specific login class for the FreeBSD users which accounts will be available in the NIS databases, so that other FreeBSD accounts (*cough* root) still are created with strong password hashes. See the documentation for login.conf.

Re: NIS Password format

Posted: Thu Sep 21, 2017 6:11 am
by praetor242
That is actually a fantastic idea!

Re: NIS Password format

Posted: Thu Sep 21, 2017 6:25 am
by jan-jaap

Re: NIS Password format

Posted: Thu Sep 21, 2017 6:38 am
by praetor242
Hmm....I've already engineered NIS infrastructure, and I plan on adding older IRIX machines and maybe some Sparcstations later on. So I think how I have it is future proof (for retro machines, how ironic) and still plays with my modern FreeBSD/Linux/MacOS stuff.

Right now I'm trying to figure out what to do about passwords. DES is insecure, but so are short ass passwords that IRIX requires.

Re: NIS Password format

Posted: Thu Sep 21, 2017 10:41 am
by Raion-Fox
praetor242 wrote:Right now I'm trying to figure out what to do about passwords. DES is insecure, but so are short ass passwords that IRIX requires.


You can change passwords from the shell just fine

Re: NIS Password format

Posted: Thu Sep 21, 2017 11:01 am
by praetor242
I meant the 8 character limitation IRIX has.