Hello everyone, I want to make this e-mail a bit different from the usual I-need-help-to-solve-a-problem message; first I'll describe a general problem and how to solve it with pam, and then I'll move to explain why this doesn't work with the current pam modules. Description of the problem I have a system made of a LAN of debian linux boxes, one of them is a NIS server and the rest are of course NIS clients, most of the users are managed by NIS but some are not like root and the system users (mail,bin,man,etc.). The NIS server uses the stable potato release and the clients the testing woody. I want to use the password aging ability of shadow and force a good password selection by the users, and I don't want to teach the users about a new command to change their passwords (yppassword). The first requisite is easy since NIS supports shadow passwords, for the second and third I have to use pam and passwd. Theoretical solution, real difficulties To configure passwd to change NIS and local passwords, and make sure that the new passwords are "good ones" the file to edit is /etc/pam.d/passwd and within this the module-type password; the pam module to check the quality of the new passwords is pam_cracklib, and the pam modules to make the actual change of the passwords are: pam_unix (the one included in the pam distribution) and pam_unix2 from Thorsten Kukuk; there is a third option: pam_pwdb, but this one has been dropped in debian woody and I can't find the source code anywhere so I couldn't try this one. Let's see how to do it with each of these modules: Pam_unix This module includes support to change NIS passwords, for this I have to use the option nis in the module-type password, like in the following entry: password required pam_unix.so obscure min=4 max=8 md5 nis If this is the only line in the /etc/pam.d/passwd file, every time a user issues a passwd command to change her password the pam_unix module will try to change it in the NIS server, if the user is not managed by NIS the module will return an error (or something worse, see below) and finish execution. I want to manage local accounts too so I stack another entry of the pam_unix module: password sufficient pam_unix.so obscure min=4 max=8 md5 nis password required pam_unix.so obscure min=4 max=8 md5 use_first_pass In this case the first entry tries to change the password in the NIS server, if it succeeds everything is all right and the second entry is not reached; if the first entry returns with error, hopefully because the user is not a "NIS user" then the second entry takes control, and this one tries to change the password in the local /etc/passwd and /etc/shadow files, the use_first_pass option is there so that the user is not prompted again for her old and new passwords. Finally to check the strength of the new passwords chosen by the users the pam_cracklib module can be stacked too: password required pam_cracklib.so retry=3 retry=3 minlen=9 difok=3 password sufficient pam_unix.so obscure min=4 max=8 md5 nis use_authtok password required pam_unix.so obscure min=4 max=8 md5 use_first_pass PROBLEMS WITH THE PAM_UNIX MODULE Unfortunately pam_unix has some serious problems changing nis passwords that renders it useless for this task: -When root wants to change the password of a "NIS user" from a NIS client, he is asked for the root password in the NIS server, and then for the new password for the user. The problem is that the root password just asked is send in clear text over the network and anyone can sniff it; the yppasswd command has this same problem but not the module pam_unix2 (see bellow). In my opinion is not the root password but the old user password that should be asked for. -When root wants to change her or any other user password pam_unix doesn't check whether this user is managed by NIS or is a local user, it simply tries to change the password in the NIS server; with this behaviour we can end up with the following situation: If we have a user that is local but exists in both the NIS server and NIS client, and we try to change the password of that user in the NIS client we will find out later to our surprise that we changed the password of the local user in the NIS server and not in the client. This may sound like a riddle so I will give an example, let's suppose that the root account is local in every system and I try to change the root password in one of the NIS clients, this account exists in the NIS server too, so because pam_unix doesn't check whether root is a local or NIS account but tries to change the password in the NIS server we end up with a new password for the root account in the NIS server and not in the client as was intended. The command yppasswd doesn't have this problem and checks with the NIS server to make sure that the password that it's about to change belongs to a NIS managed account. Pam_unix2 This module from Thorsten Kukuk improves the NIS support for changing passwords compared to the standard pam_unix module although has a smaller number of options than the former. Pam_unix2 doesn't need a specific option to change the nis passwords, it's "clever" enough to find out whether the account it's dealing with is local or NIS. In this case the configuration of the file /etc/pam.d/passwd is simpler: password required pam_cracklib.so retry=3 retry=3 minlen=9 difok=3 password required pam_unix2 md5 use_authok In the first entry pam_cracklib checks the quality of the new password and in the second the correct password is changed be it local or NIS. With pam_unix2 when the root user in a NIS client wants to change the NIS password of a normal user, he is not asked for the root password of the NIS server but for the old password of the user, the philosophy here is that it's enough to know the user password to be able to change it. PROBLEMS WITH PAM_UNIX2 This module is promising but unfortunately is not ready enough for general use in the situation showed here, the problems found were: -The debug option described in the documentation doesn't work and causes an error through syslog: petrel PAM-unix2[2880]: password: Unknown option: debug -When a password is changed successfully there is no record through syslog. -The option use_authok described in the documentation and essential for this situation is not supported giving the following error through syslog: petrel PAM-unix2[3501]: password: Unknown option: use_authok -The module doesn't work at all when it is stacked with pam_cracklib, and again this is essential for the described situation. Conclusion In this stage of development this two modules shown here are not useful to solve the situation described initially, I hope they will evolve and the problems described will be solve soon so I and many others can have a better integrated NIS, PAM and passwd system. As I said before I couldn't try pam_pwdb, maybe everything works better with this one. Comments, suggestion and ideas welcome. References http://www.kernel.org/pub/linux/libs/pam/
