Hello, Following a lengthy, but productive conversation with Casper about enabling MD5 passwd/shadow files on Solaris 9, we have decided that it would be beneficial to the members of SunManagers if i summarised our entire conversation for those who are interested to keep for the future. This conversation has also been summarised here: http://unixforum.co.uk/index.php?act=ST&f=15&t=29 ======================================================================= Richard Hobbs: -------------- Hello, I have a NIS server set up and working perfectly on my network, but my solaris machine is using old-style passwords (maximum 8 chars). My NIS server (being debian linux) is using MD5 passwds (out of choice), so i'd like to enable this on Solaris 9, so it can successfully use NIS for authentication on my LAN. I originally had Solaris 8 on this machine, and i was told that MD5 passwords didn't exist, so i put Solaris 9 on instead. I think Solaris 10 uses MD5 by default, but in Solaris 9 it needs enabling, whereas in Solaris 8 it wasn't even an option. Does anyone know how i can enable it? ======================================================================= Casper Dik: ----------- required: Solaris 9 update 2 (or Solaris 9 + current patches). use: automatic (Solaris 9u2 understands *BSD and Linux password hashes) use as default: edit /etc/security/policy.conf ======================================================================= Richard Hobbs: -------------- Thanks for the info... but which patches specifically? I have Solaris 9 09/02 with no extra patches installed at the moment... but how do i find out which patches i need to install exactly?? Can i just download a "service pack" from somewhere?? (sorry to use Micro$not terminology). ======================================================================= Casper Dik: ----------- sunsolve.sun.com "Recommended &Security" patch bundle has everything, NOTE 2: To get the complete Flexible Crypt feature, please install the following patches: 113475-01 (or newer) libsecurity crypt 113476-01 (or newer) passwdutil.so.1 113480-01 (or newer) pam_unix Patch 113481-01 (or newer) nispasswdd 113482-01 (or newer) rpc.ypasswd 113483-01 (or newer) sbin/sulogin 112874-06 (or newer) libc patch You can also register and download the maintenance update patch bundle from access1.sun.com ======================================================================= Richard Hobbs: -------------- I have another small problem... not only am i unable to download the specific patches you mentioned previously, i'm unable to install the main Recommended & Security Patch Cluster. For each and every package i receive: Patch 112834-02 failed to install due to a failure produced by pkgadd. and when i check the logfile to see what failed exactly, i see this: This appears to be an attempt to install the same architecture and version of a package which is already installed. This installation will attempt to overwrite this package. /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall: /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall: cannot open pkgadd: ERROR: checkinstall script did not complete successfully Dryrun complete. No changes were made to the system. so it seems that the entire contents of the update package are already installed... surely this can't be right... i think i'm doing something stupid, but i can't work out what! lol ======================================================================= Casper Dik: ----------- Might be the standard checkinstall problem: The solaris FAQ says: 5.59) Patch installation often fails with "checkinstall" errors. When installing a patch, the Solaris 2.5+ patch installation procedure will execute the script "checkinstall" with uid nobody. If any of the patch files or if any part of the path leading up to the patch directory cannot be read by nobody, an error similar to the following will appear: patchadd . # or ./installpatch . Generating list of files to be patched... Verifying sufficient filesystem capacity (exhaustive method) ... Installing patch packages... pkgadd: ERROR: checkinstall script did not complete successfully.... You can workaround this in two ways, one is to make sure that the user "nobody" can read all patch files and execute a "pwd" in the patch directory or add an account "install" to /etc/passwd: install:x:0:1:installpatch braindamage:/:/bin/true Installpatch and patchadd use "nobody" as a fallback if it cannot find the "install" user. --- end of excerpt from the FAQ The most recently posted version of the FAQ is available from: http://www.science.uva.nl/pub/solaris/solaris2/ ======================================================================= Casper Dik: -------------- >> You can also register and download the maintenance update patch >> bundle from access1.sun.com > >Do i need this to enable MD5, or is it merely recommended? It includes the above patches for those w/o support contract. (So you can download the maintenance update and just install the necessary patches from it) (the solregis command should take care of registering) ======================================================================= Richard Hobbs: -------------- > NOTE 2: To get the complete Flexible Crypt feature, please install the > following patches: Does this mean flexible in the way that i cn choose whether i want to use MD5 or not? > (the solregis command should take care of registering) why do i need to do this though? ======================================================================= Casper Dik: ----------- >> NOTE 2: To get the complete Flexible Crypt feature, please install the >> following patches: > >Does this mean flexible in the way that i cn choose whether i want to >use MD5 or not? The implementation allows you to select a default hash algorithm (default still standard crypt). In all cases the implementation will look at the hash to see what algporithm to use; the supported algorithms are __unix__ and: 1 crypt_bsdmd5.so.1 2a crypt_bsdbf.so.1 md5 crypt_sunmd5.so.1 I believe that "1" is the md5 algorithm used by Linux; "2a" is the BSD blowfish based algorithm and "md5" is a Sun md5 variant. You can also write your own crypt module and "plug it in" if you want to. Encrypted passwords using all algorithms can coexist as the used algorithm is encoded in the the crypt output string. >> (the solregis command should take care of registering) > >why do i need to do this though? To get login access to access1.sun.com/solarissolve which has the maintenance updates. ======================================================================= Richard Hobbs: -------------- Ah..... so when i install the patches from access1.sun.com, i will be able to change to md5... cool! I tried to run the solregis command, but i'm currently unable to export my DISPLAY from home to work (cos i SSH into my gateway, and then SSH into my Solaris box, so the X-Tunelling gets broken). I'll run this command when i get home. What file contains the following stuff though? Should i just search /etc/for files containing "crypt_"?? 1 crypt_bsdmd5.so.1 2a crypt_bsdbf.so.1 md5 crypt_sunmd5.so.1 ======================================================================= Casper Dik: ----------- Patch 113475-02 has the crypt modules. Patch 112874-09 (libc) has /etc/security/crypt.conf Those two combined, I think, give the necessary client side support for using but not changing the passwords. (And you can't use them for root because of statically linked /sbin/sulogin) 113480-01 might be needed, but I think not. ======================================================================= Richard Hobbs: -------------- In that case, i shall register and then install patches 113475-02 and 112874-09. Just to finally confirm... if i install these patches and configure, my Solaris box will recognise the MD5-encrypted passwords served by my NIS server, but the users won't be able to change their passwords from this machine... they will have to log into a different machine to do that... that's fine for what i need. >Correct; but you can just as well install all of the needed patches (all >are part of MU2) One other point is that i don't need to enhance the encryption on the root password, as it already allows passwords above 8 chars for the root password. Whether this uses advanced encryption, i'm not sure (although i doubt it), but the only reason for needing better encryption was to make the user accounts compatible with my NIS server, and as the root account isn't taken from NIS, this isn't a problem. Thanks a lot for your help. ======================================================================= The end of the story is that i think i'm gonna try to get hold on Solaris 9 12/02 first, but if not, this will all come in very useful, so a *BIG* thank you to Casper for all his help with this. -- Richard Hobbs hobbs@mongeese.co.uk http://mongeese.co.uk | http://fishsponge.co.uk "There's only one way of life, and that's your own" - The Levellers _____________________________________________________ Send all your jokes to jokes@fishsponge.co.uk !! To subscribe, email: jokes-subscribe@fishsponge.co.uk _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Feb 27 07:21:59 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:04 EST