3

Imagine a NIS user database /var/yp/input-files/passwd consisting of old crypt DES hashes. The aim is to migrate this database to md5 or sha hashes. When changing a password using yppasswd, it is generated using the same algorithm as for the existing entry (probably for legacy reasons), i.e. crypt stays crypt, md5 stays md5.

Our current plan is to write a special password change script wrapping yppasswd. Is there a more elegant way to tell yppasswd to generate changed passwords in md5 format by default?

Speckinius Flecksis
  • 614
  • 6
  • 9

2 Answers2

2

I figured it out by now:

  1. Download the nis-package of your distribution e.g. apt-get source nis under Debian.
  2. Edit corresponding yp-tools-2.9/src/yppasswd.c
  3. Replace int has_md5_passwd = 0; by int has_md5_passwd = 1; in the beginning of int main (int argc, char **argv)

yppasswd then always creates md5 hashes.

Speckinius Flecksis
  • 614
  • 6
  • 9
  • This doesn't exactly work with the yppasswd in yp-tools 2.12. If you go this route, you'll need to set `int hash_id = MD5;` at the top of `main` _and_ comment out the later line that says `hash_id = get_hash_id (pwd->pw_passwd);`. – asciiphil Jan 25 '13 at 20:35
1

Recent Linux distributions support NIS password updates through PAM, which means you can use the local passwd program instead of yppasswd. This also means that you can configure the hash algorithm, which is still (as of yp-tools 2.12) not possible with yppasswd.

Your system should have an /etc/pam.d/passwd file, which will either contain or, more likely, refer to another file that contains a line of the form:

password  sufficient  pam_unix.so md5 nis

The second field might differ, and there might be other parameters at the end, but you want the password line that loads pam_unix.so and it should have at least the nis parameter as well as a hash function appropriate to your NIS server (md5, sha256, etc.)

Your distribution might have a better way of configuring this, though, so make sure your changes aren't going to be overwritten by an automated process later.

On RedHat-derived systems (including at least RHEL, CentOS, Scientific Linux, and Fedora), you need to use the authconfig program with at least the --enablenis parameter. For the above scenario with MD5 hashes, the following command line would be sufficient:

authconfig --enablenis --usemd5 --update

On Debian systems (and possibly Debian derivatives, but I can't check at the moment), the proper way to do this appears to be to copy /usr/share/pam-configs/unix to something else (say, /usr/share/pam-configs/nis), edit the new file to give it appropriate settings and a new profile name, then run pam-auth-update, disable the "Unix authentication" profile and enable your new profile.

asciiphil
  • 519
  • 4
  • 17