Imagine a NIS user database /var/yp/input-files/passwd
consisting of old crypt DES开发者_如何学运维 hashes. The aim is to migrate this database to md5 or sha hashes. When changing a password using yppasswd
, it is generated using the same algorithm as for the existing entry (probably for legacy reasons), i.e. crypt stays crypt, md5 stays md5.
Our current plan is to write a special password change script wrapping yppasswd. Is there a more elegant way to tell yppasswd to generate changed passwords in md5 format by default?
I figured it out by now:
- Download the nis-package of your distribution e.g.
apt-get source nis
under Debian. - Edit corresponding yp-tools-2.9/src/yppasswd.c
- Replace
int has_md5_passwd = 0;
byint has_md5_passwd = 1;
in the beginning ofint main (int argc, char **argv)
yppasswd then always creates md5 hashes.
Recent Linux distributions support NIS password updates through PAM, which means you can use the local passwd
program instead of yppasswd
. This also means that you can configure the hash algorithm, which is still (as of yp-tools 2.12) not possible with yppasswd
.
Your system should have an /etc/pam.d/passwd
file, which will either contain or, more likely, refer to another file that contains a line of the form:
password sufficient pam_unix.so md5 nis
The second field might differ, and there might be other parameters at the end, but you want the password
line that loads pam_unix.so
and it should have at least the nis
parameter as well as a hash function appropriate to your NIS server (md5
, sha256
, etc.)
Your distribution might have a better way of configuring this, though, so make sure your changes aren't going to be overwritten by an automated process later.
On RedHat-derived systems (including at least RHEL, CentOS, Scientific Linux, and Fedora), you need to use the authconfig
program with at least the --enablenis
parameter. For the above scenario with MD5 hashes, the following command line would be sufficient:
authconfig --enablenis --usemd5 --update
On Debian systems (and possibly Debian derivatives, but I can't check at the moment), the proper way to do this appears to be to copy /usr/share/pam-configs/unix
to something else (say, /usr/share/pam-configs/nis
), edit the new file to give it appropriate settings and a new profile name, then run pam-auth-update
, disable the "Unix authentication" profile and enable your new profile.
精彩评论