Very Computer

After many requests to me and other people I've mailed this to, I am
reposting our own internal account of how to setup shadow passwords
with NIS w/o C2 security under 4.1.X.

Standard disclaimers about lack of responsibility for damages, etc.
All I can say is it works for our network of 6 Sun's with 4.1.3 and
over 1400 NIS accounts and a good 20 local accounts on a number of
machines.

Only machines in the same subnet have access to our maps now and total
password maps with encrypted password fields never go across the
network...

I would appreciate hearing from you if you made changes to the
procedures that also work or have advice about ways we could improve
this procedure...

Please do not redistribute without leaving the header intact, thanks.

-Erik

Setting up the NIS Master with Shadow Passwords under Sun OS 4.1.3
(THIS DOCUMENT IS BASED ON OUR OWN EXPERIENCES WITH SETUP
 NO GUARANTEES ARE MADE TO ITS SUITABILITY FOR USE AT OTHER
 SITES.  OR ITS CORRECTNESS.)

Author: Erik Oliver, eoli...@ralph.cs.haverford.edu
        Based on work done for Haverford College Academic Computing
        Center

Special thanks to:
  Tom M. Kroeger of University of Hawaii Computing Center, t...@hawaii.edu
  for his script for automating the conversion and his note about the
  implied incompatibility w/ older NFS servers because of the way
  rc.local is written.

This document describes steps to setup shadow passwords on a network
of Sun Workstations running 4.1.2 and 4.1.3 using NIS to obtain
passwords.

This technique avoids the full process of setting up C2 security, but
offers all of the benefits of shadowed passwords, including shadowed
passwords over NIS.

STEP BY STEP:

(1) Obtain Sun Patches: 100564-05 and 100482-04.

Assumptions:
        /etc/passwd contains local accounts and passwords
        /var/yp contains a file named passwd with the NIS accounts and passwds
        on the NIS Master, and the Makefile in /var/yp is suitably
        configured for this location.

(2) Setup NIS normally without shadowing based on this information,
    your /var/yp/Makefile on the NIS Master should have the line with:
        DIR=/etc
    reading
        DIR=/var/yp

This will enable it to use /var/yp as the origin of the source files
rather than /etc.

(3) Install patch 100482-04, this contains new versions of
ypserv, ypxfrd, and portmap, this is not directly related
to setting up shadowed passwords but it fixes some security
problems and will allow you to use the file /var/yp/securenets
to restrict map access to specific subnets.

In our case we have /var/yp/securenets:
#
# /var/yp/sercurenets file
#
# The format of this file is one of more lines of
#
# netmask netaddr
# Both netmask and netaddr must be dotted quads.
#
# for example:
255.255.255.0 165.82.1.0

This means only machines in 165.82.1.X can request maps, etc.

(4) Next install patch 100564-07 as follows:
** NOTE: YOU ARE NOT GOING TO FOLLOW THE PATCH INSTRUCTIONS LETTER
FOR LETTER HERE, FOLLOW THESE INSTRUCTIONS VERY PRECISELY TO GET
THINGS TO WORK **

(4a) Copy the new static versions of rpc.pwdauthd and rpc.yppasswdd
into /usr/etc as instructed on the last page of the patch
instructions.

(4b) Then you must modify the passwd file as follows, remove all
entries from the passwd field, second field, of /etc/passwd and
replace it with ##username.  (You might want to copy passwd to
security/passwd.adjunct or use an awk script to accomplish this task.)

Example:
        root:XXabcdefgh:0:1:Root:/:/bin/csh
Becomes:
        root:##root:0:1:Root:/:/bin/csh

Then in the file /etc/security/passwd.adjunct:
Put entries of the form:
username:oldpasswd:::::

Example:
root:XXabcdefgh:::::

Now repeat this process for /etc/group, copying it to
/etc/security/group.adjunct and modifying the second field to
##groupname.

Example:
wheel:*:1:
Becomes:
wheel:##wheel:1:

Then in the file /etc/security/group.adjunct:
Put entries of the form:
groupname:oldpasswd::
Example:
wheel:*::

You can leave behind any + notations and in fact should if you want
the NIS accounts accessible on that machine.

At the bottom of this document there is a handy script to
automate the entire process of creating the security directories and
splitting the password file in passwd and passwd.adjunct.

Repeat this for the /var/yp/passwd and /var/yp/group files except this
time the auxiliary file you create is /var/yp/security/passwd.adjunct
and /var/yp/security/group.adjunct respectively.

(4c) Set permissions on the adjunct file/directory:
chmod 2711 /etc/security /var/yp/security
chmod 600 /etc/security/passwd.adjunct /var/yp/security/passwd.adjunct
chmod 600 /etc/security/group.adjunct /var/yp/security/group.adjunct
chown root.staff /etc/security /var/yp/security /etc/security/passwd.adjunct \
        /var/yp/security/passwd.adjunct /etc/security/group.adjunct \
        /var/yp/security/group.adjunct

(4d) Audit Accounts --- THIS MUST BE DONE whether or not you want
        to use the auditd

Also you must add two local accounts and two more NIS accounts. In
/etc/passwd and /var/yp/passwd add

AUpwdauthd:##AUpwdauthd:29:10:::/bin/false
AUyppasswdd:##AUyppasswdd:28:10:::/bin/false

Add the following to /etc/security/passwd.adjunct and
/var/yp/security/passwd.adjunct:

AUpwdauthd:*:::::
AUyppasswdd:*:::::

IT IS VITAL THAT THESE TWO ACCOUNTS BE ADDED EXACTLY AS WRITTEN
AND TO BOTH THE LOCAL and NIS source files otherwise you will
not be able to login or change passwords.

(5) Fix up the boot process:
Next, edit the file /etc/rc.local,

(5a) Comment out the lines where auditd is launched.

(5b) Change the line where rpc.yppasswd is launched to:
  /usr/etc/rpc.yppasswdd /var/yp/passwd \
    /var/yp/security/passwd.adjunct -nogecos  -m; echo -n ' yppasswd'
Which insures that it knows about the shadow password file
for NIS and will remake properly. Note: -nogecos prevents users
from changing their full name field.  Sede man rpc.yppasswdd
fpr a description of all flags.

(5c) Double check that ypbind will start with -s:
        if [ -f /etc/security/passwd.adjunct ]; then
                ypbind -s;      echo -n ' ypbind'
        else
                ypbind;         echo -n ' ypbind'
        fi

(6) Then reboot and cross your fingers.

NOTE: Because of the exsistance of /etc/security/passwd.adjunct the
standard rc.local file will now start the mountd daemon without the -n
option with makes it incompatible with NFS 3.0.  Hence
if you are going to be using the procedure described here with earlier
NFS servers, you may need to change that portion of rc.local as well.

Be sure to test that local accounts can log in and change passwords
and then try an NIS account.

(7) ON THE CLIENTS/SLAVE SERVERS:

Install 100481-04 in full. [We are not sure if this necessary]
DO THE FOLLOWING with Patch 100564-07
Follow the steps listed in (4) for copying the appropriate
static rpc.pwdauthd and rpc.yppasswdd, also follow the instructions
for splitting out the passwd file, you can ignore anything
having to do with the directory /var/yp on a client though.
Be sure to add AUpwdauthd and AUyppasswdd as above to /etc/passwd
and /etc/security/passwd.adjunct.

Copy permission information about /etc/security and
/etc/security/passwd.adjunct from above.  As well as /etc/group and
/etc/group.adjunct.

Then disable the auditd in rc.local and reboot.

%% SCRIPT TO AUTOMATE PASSWD-> passwd.adjunct conversion
#!/bin/csh
#
#   make.adj -- make modified passwd/group file & adjunct file
#                                       Jun 94 - t...@Hawaii.Edu
#
#   assumes: current directory is home of passwd/group maps
#       only used on SunOS 4.1.3 -- not tested for all types of systems
#
#  Usage: make.adj passwd_file group_file
#
mkdir security
awk -F: '{ if (substr($1,1,1) == "+") \
             print $1":"$2":"$3":"$4":"$5":"$6":"$7  \
            else \
             print $1":##"$1":"$3":"$4":"$5":"$6":"$7 }' < $1 > $1.new
awk -F: '{print $1":"$2":::::"}' < $1 > security/$1.adjunct
mv $1 $1.shad.old
mv $1.new $1

echo "AUpwdauthd:##AUpwdauthd:29:10:::/bin/false" >> $1        
echo "AUyppasswdd:##AUyppasswdd:28:10:::/bin/false" >> $1
echo "AUpwdauthd:*:::::" >> security/$1.adjunct
echo "AUyppasswdd:*:::::" >> security/$1.adjunct

awk -F: '{  if (substr($1,1,1) == "+") \
                print $1":"$2":"$3":"$4  \
             else \
                print $1":#$"$1":"$3":"$4  }' < $2 > $2.new
awk -F: '{print $1":"$2}' < $2 > security/$2.adjunct
mv $2 $2.shad.old
mv $2.new $2

chown root.staff security passwd  group \
                security/passwd.adjunct security/group.adjunct
chmod 2711 security
chmod 600 security/passwd.adjunct security/group.adjunct
chmod 700 security
--
     Erik Oliver                            eoli...@ralph.cs.haverford.edu

I spent last night updating our main system to impliment shadowing using
the instructions posted by Erik Oliver, and the script I posted.  Just
3 notes that came up:

1) When you comment out auditd from rc.local make sure to comment out the
whole if statement (3 lines).  If you only comment out the auditd command
then this creates null if which is a syntax error in Bourne shell.

2) Once you have modified your nis sever, do a ypinit -s server.name.
This copies a full set of maps over from the server.name.  yppush
will not push the new passwd.adjunct map.

3) chmod the passwd.shad.old and group.shad.old files to 600 (removing
world read).  I'd put this in the make.adj script.

--
                                    tmk

-----------------------------------------------------------------------
Tom M. Kroeger                                 Pray for wind      
University of Hawaii Computing Center       \    Pray for waves and
2565 The Mall,  Keller Hall                 |\     Pray it's your day off!
Honolulu HI 96822     (808) 956-2408        |~\  

                                           ,----+--

Quote:>I spent last night updating our main system to impliment shadowing using
>the instructions posted by Erik Oliver, and the script I posted.  Just
>3 notes that came up:

>1) When you comment out auditd from rc.local make sure to comment out the
>whole if statement (3 lines).  If you only comment out the auditd command
>then this creates null if which is a syntax error in Bourne shell.

An alternative used here is to rename "auditd" to "auditd.nothanks",
thereby causing the if statement to be evaluated in the desired way.

One question:  Why is it necessary to create the AUfoobar pseudo-users?

I just installed secure passwds on a non-NIS Sparc, running 4.1.3, and
the fake users were needed.  However, other machines in use here do not
have the fake users in the NIS maps, in /etc/passwd, or in the
passwd.adjunct file.  The only difference between the Sparc in question
and these is that the latter run NIS (should not matter), and have
Bill LeFebvre's securelib installed.  I can check the source to securelib,
but I do not think it will be particularly revelatory.  Could it be that
the library routines securelib hacks somehow get around bogosity in the
original routines which require the pseudo-user?  Doesn't sound likely,
but with SunOS that doesn't mean much :^).

Thanks.

Chris

Quote:>An alternative used here is to rename "auditd" to "auditd.nothanks",
>thereby causing the if statement to be evaluated in the desired way.

Sun, in the patch README, recommends this:

        if [ -f /usr/etc/auditd -a -d /etc/security/audit ]; then

Quote:>One question:  Why is it necessary to create the AUfoobar pseudo-users?

The pwdauthd knows about one of them.  I don't know what it does
with it.

--
-Gary Mills-          -Unix Support-           -U of M Computer Services-