On Sun, Aug 13, Michael Ju. Tokarev wrote:
> In current pam_unix code, it is done by comparing pw_passwd field with
> "x" (to mean "plain shadow file") and with "*NP*" (to mean "Nis
> Password"),
Wrong. *NP* means you are not allowed to see the encrypted
password. You will get this, if you are not allowed to see
the password on a NIS+ server.
> all other values here means "take this value as a password".
> With the second case, [e]uid reset to those of the user before
> attempting
> to get shadow entry (this is a "special" privileges about I wrote
> above).
No, this is not to get the shadow entry. Thats wrong.
Only the user is allowed to see his password in the NIS+ database.
Even root of a client is not allowed to see it. So this is the
reason for this hack, because we need the encrypted password to
compare it.
> 1.a. Iff we have another auth methods (LDAP,NIS+ etc), is this set of
> "magic" passwd values ("x", "*NP*) sufficient? Maybe this set should be
> extended (e.g. "*LP*" as LDAP passwd, "*NPP*" as nis+ passwd etc), or,
> maybe
> just some magic character (like *) or "strange" password length should
> indicate that condition? (Condition here: a: password stored elsewhere
> and b: to get it, we need to reset [e]uid).
This "x" and "*NP*" has nothing to do with PAM, it is implemented in the
database. So you need to change NIS+ and LDAP, but not pam_unix.
> So, the enforcement from nis client library (to get shadow entry of some
> person you should have uid equal to uid of that person) is not
> practically
> useful, since it is just easy to modify nis client code (compile it by
> itself, implement it in perl etc) to avoid such enforcement.
Recompiling does not help you, because than secureRPC will not longer
work and you cannot authenticate yourself against the NIS+ server.
This means you will never get the password.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de
SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg
Linux is like a Vorlon. It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.
