SUMMARY: creating credentials (nis+) using encrypted passwords

From: Vasantha Narayanan (vnarayan@haverford.edu)
Date: Mon Nov 18 1996 - 16:27:25 CST


My original posting:

Hi,

I've setup nis+ root master and root replica at security level 2.

I've to now transfer about 2000 users from nis to nis+ many of whom never
log into an unix machine. They only use eudora and such to connect to the
popper on the unix server. I would like to make this transition as
transparent as possible to the users, i.e., move the same passwords over to
nis+ so that we do not have to distribute new passwords to 2000 users.

I copied the passwd entries from nis into a file named passwd on the nis+
master and the encrypted password to a file named shadow. I did the
following to populate the tables.

nisaddent -m -f /files/passwd passwd domainname.
nisaddent -m -f /files/shadow shadow domainname.

Doing the above, I'm able to create the accounts with the same username and
password as on nis. But when they login they belong to the nobody class
because their credentials are not set. And, to set their credentials, I
need to run
nisclient -co username (or keylogin & chkey). This asks for their network
password. HERE is where I'm running into a problem. I do not know what
our users actual/clear passwords are. I only have access to their
encrypted passwords. Is there an option for nisclient or chkey that will
accept encrypted passwords or automatically pick up this password from the
shadow file? Also is there a way to decrypt an encrypted password? That
would solve my problem too.

SUMMARY:

There is no way to use the already encrypted passwords (from login
passwords) to create a matching network password so that the users can be
authenticated. I'm currently working on two solutions for the two kinds of
users that we have:

1) Some of our users use our unix server only for email using eudora. For
such users it will be a major task for us get them to log on to unix and
make them run nisclient -c or keylogin and chkey -p. I installed popper
and it seems to work whether an user is authenticated or not. So popper
works with out making their network and login password to be the same. In
our old nis setup, we have a password changing program (works via inetd)
that allows users to change passwords from eudora. I'm investigating to
see if changes can be made to this server to not only allow password
changing via eudora, but also to match their network and login passwords.

However, this has not been easy. If any one out there knows what nis+
library funtion calls should be used to modify a nis+ user's password from
a C program, please email me.

2) For those users who log on to unix, we can set up something in their
.cshrc that will force them to run keylogin and chkey.

Sorry, it took a while to summarize. I waited in the hope of having a
working solution before posting the summary. Thanks to all those who
responded to my original posting -

jasonn@nabaus.com.au (Jason Noorman)
Douglas Vanderlip <dvande01@pdc.trsv.eds.com>
Anders Hammarquist <iko@dd.chalmers.se>
"Tseng, Robert" <rtseng@orbit.hr.att.com>
Richard Aures <richard.aures@erlangen.netsurf.de>
mrs@cadem.mc.xerox.com ("Michael Salehi x22725")
twhite@bear.com (Thomas White)
charest@chou.CANR.Hydro.Qc.Ca (Claude Charest)
Kevin Davidson <tkld@cogsci.ed.ac.uk>

For Rasana Atreya <Rasana.Atreya@library.ucsf.edu> and others who wanted
the summary, be in touch and I'll share any solution we come up with.

Thanks.

Vasantha



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT