Having just upgraded my NIS (no plus) Master from SuSE 8.0 to 9.0 I all of a sudden have a problem. Normal users can change their NIS passwd running 'passwd', the root user cannot - I'm prompted for the user's password not the root password. Even when running the command on the NIS master. Yppasswd used to help, but these days only informs me that it's deprecated and seems to simply run passwd. Local password file and NIS password file are different on the server, by design. Root is not a NIS user, again, because I like it that way. I _can_ change the password by running htpasswd and using vi(1) on the NIS shadow file (I just did, the problem became apparent because of a user who had forgotten his password), but I was looking for something slightly less ugly. There must surely still be tools? Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
This unpleasant problem happens on 8.2 as well. I'm not certain, but I believe it started happening a few weeks after we upgraded to 8.2, so maybe it was caused by a security upgrade. Or maybe some SuSEconfig mischief. Bob On Thu, 18 Dec 2003, Bjorn Tore Sund wrote:
Having just upgraded my NIS (no plus) Master from SuSE 8.0 to 9.0 I all of a sudden have a problem. Normal users can change their NIS passwd running 'passwd', the root user cannot - I'm prompted for the user's password not the root password. Even when running the command on the NIS master. Yppasswd used to help, but these days only informs me that it's deprecated and seems to simply run passwd.
Local password file and NIS password file are different on the server, by design. Root is not a NIS user, again, because I like it that way.
I _can_ change the password by running htpasswd and using vi(1) on the NIS shadow file (I just did, the problem became apparent because of a user who had forgotten his password), but I was looking for something slightly less ugly. There must surely still be tools?
Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
On Thu, 18 Dec 2003, Bob Vickers wrote:
This unpleasant problem happens on 8.2 as well. I'm not certain, but I believe it started happening a few weeks after we upgraded to 8.2, so maybe it was caused by a security upgrade. Or maybe some SuSEconfig mischief.
You do realize that top-quoting makes it difficult to respond to specific points where both your post and mine touch on the same subject? Anyway, having dug into documention, the following from the NIS-HOWTO makes me appreciate the change: |13. Changing passwords with rpasswd | |The standard way to change a NIS password is to call yppasswd, on some |systems this is only an alias for passwd. This commands uses the yppasswd |protocol and needs a running rpc.yppasswdd process on the NIS master |server. The protocol has the disadvantage, that the old password will be |send in clear text over the network. This is not so problematic, if the |password change was successfull. In this case, the old password is |replaced with the new one. But if the password change fails, an attacker |can use the clear password to login as this user. Even more worse: If the |system administrator changes the NIS password for another user, the root |password of the NIS master server is transfered in clear text over the |network. And this one will not be changed. The text goes on to describe how to set up rpasswd to do this job for you. I'll certainly be looking into it as soon as I can. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 teknisk@mi.uib.no Email: bjornts@mi.uib.no http://www.mi.uib.no/
Dear Bjorn, Thanks for the hint about rpasswd. It is well described in http://howto.zgp.org/NIS-HOWTO/rpasswdd.html, and provides a way for users as well as administrators to change passwords. But I was very surprised that rpasswdd works without you needing to create an entry in /etc/hosts.allow. So although rpasswd fixes one security hole by preventing plaintext passwords going across the network it potentially opens up another. With our old setup even if someone managed to discover the root password it was useless to them unless they also knew an administrator's regular password because neither ssh nor su let them gain root privilege except from a very small number of accounts. But now they can run rpasswd from any machine on the campus and rpasswdd will happily let them change any user's password. Does anyone have any comments on this? Am I missing something? Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
On Fri, Dec 19, 2003 at 04:02:40PM +0000, Bob Vickers wrote:
But I was very surprised that rpasswdd works without you needing to create an entry in /etc/hosts.allow. So although rpasswd fixes one security hole by preventing plaintext passwords going across the network it potentially opens up another. With our old setup even if someone managed to discover the root password it was useless to them unless they also knew an administrator's regular password because neither ssh nor su let them gain root privilege except from a very small number of accounts. But now they can run rpasswd from any machine on the campus and rpasswdd will happily let them change any user's password.
I think letting users discover the root password of your server machine is really really bad. If that happens, you're almost toast anyway. rpasswdd is far from the only service granting folks knowing the root password special privileges. LDAP comes to mind. I agree though that the ability to turn admin mode off or limit it to a set of trusted IPs could be helpful. Would you care to submit a patch? Olaf -- Olaf Kirch | Stop wasting entropy - start using predictable okir@suse.de | tempfile names today! ---------------+
participants (3)
-
Bjorn Tore Sund -
Bob Vickers -
Olaf Kirch