Mixed SHA, MD5 and Crypt Password Authentication

Mixed SHA, MD5 and Crypt Password Authentication

Post by Richard H. Norwood J » Sun, 15 Feb 2004 06:27:52



I have a large number of Solaris2.8 system that I manage.  Currently
all of our web based appications authenticate against LDAP.  Now since
I don't have control over the LDAP servers to make significant schema
changes we are using NIS to authenticate our developers and
administrators.

Now for the problem, I have written a set of Perl modules and scripts
to extract the information and user base I need from the LDAP server
to create my NIS map files.  The only problem I have is that Solaris
is not able to decrypt password strings other than CRYPT encrypted
strings, and the strings I'm receiving from the LDAP server include
{SHA}, {MD5} and {CRYPT} in front of the hash.  Ok I can strip of the
designator, but that doesn't solve the authentication piece.

Does anyone know of a PAM module or another mechanism that will allow
me to have mixed mode passwords in NIS?

If nothing has been created, does anyone know of a HOWTO which
describes the creation of a new PAM module?

Is there anything else linking NIS with LDAP?

Thanks,

Rick

 
 
 

Mixed SHA, MD5 and Crypt Password Authentication

Post by Thomas Na » Sun, 15 Feb 2004 06:54:10



| Now for the problem, I have written a set of Perl modules and scripts
| to extract the information and user base I need from the LDAP server
| to create my NIS map files.  The only problem I have is that Solaris
| is not able to decrypt password strings other than CRYPT encrypted
| strings, and the strings I'm receiving from the LDAP server include
| {SHA}, {MD5} and {CRYPT} in front of the hash.  Ok I can strip of the
| designator, but that doesn't solve the authentication piece.
|
| Does anyone know of a PAM module or another mechanism that will allow
| me to have mixed mode passwords in NIS?

Sorry, I don't know a solution to what you really asking for but if your
LDAP admins use CRYPT (same as UNIX old style encyption used in Solaris 8)
you can setup a Solaris 9 box using it's latest YP server which can act as
LDAP to YP gateway.

| If nothing has been created, does anyone know of a HOWTO which
| describes the creation of a new PAM module?

PADL has written nice PAM modules which can be used to authenticate Solaris
users against a LDAP server. This might be a nice starting point.
Also looking at OpenSource stuff like FreeBSD and other offer a good intro
as well as Suns documentation.

| Is there anything else linking NIS with LDAP?

see above: the latest Solaris 9 update.

Thomas

-----------------------------------------------------------------
PGP fingerprint: B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED