Setting up the NIS Master with Shadow Passwords under Sun OS 4.1.3 (THIS DOCUMENT IS BASED ON OUR OWN EXPERIENCES WITH SETUP NO GUARANTEES ARE MADE TO ITS SUITABILITY FOR USE AT OTHER SITES. OR ITS CORRECTNESS.) Author: Erik Oliver, eoliver@ralph.cs.haverford.edu Based on work done for Haverford College Academic Computing Center Special thanks to: Tom M. Kroeger of University of Hawaii Computing Center, tmk@hawaii.edu for his script for automating the conversion and his note about the implied incompatibility w/ older NFS servers because of the way rc.local is written. This document describes steps to setup shadow passwords on a network of Sun Workstations running 4.1.2 and 4.1.3 using NIS to obtain passwords. This technique avoids the full process of setting up C2 security, but offers all of the benefits of shadowed passwords, including shadowed passwords over NIS. STEP BY STEP: (1) Obtain Sun Patches: 100564-05 and 100482-04. Assumptions: /etc/passwd contains local accounts and passwords /var/yp contains a file named passwd with the NIS accounts and passwds on the NIS Master, and the Makefile in /var/yp is suitably configured for this location. (2) Setup NIS normally without shadowing based on this information, your /var/yp/Makefile on the NIS Master should have the line with: DIR=/etc reading DIR=/var/yp This will enable it to use /var/yp as the origin of the source files rather than /etc. (3) Install patch 100482-04, this contains new versions of ypserv, ypxfrd, and portmap, this is not directly related to setting up shadowed passwords but it fixes some security problems and will allow you to use the file /var/yp/securenets to restrict map access to specific subnets. In our case we have /var/yp/securenets: # # /var/yp/sercurenets file # # The format of this file is one of more lines of # # netmask netaddr # Both netmask and netaddr must be dotted quads. # # for example: 255.255.255.0 165.82.1.0 This means only machines in 165.82.1.X can request maps, etc. (4) Next install patch 100564-07 as follows: ** NOTE: YOU ARE NOT GOING TO FOLLOW THE PATCH INSTRUCTIONS LETTER FOR LETTER HERE, FOLLOW THESE INSTRUCTIONS VERY PRECISELY TO GET THINGS TO WORK ** (4a) Copy the new static versions of rpc.pwdauthd and rpc.yppasswdd into /usr/etc as instructed on the last page of the patch instructions. (4b) Then you must modify the passwd file as follows, remove all entries from the passwd field, second field, of /etc/passwd and replace it with ##username. (You might want to copy passwd to security/passwd.adjunct or use an awk script to accomplish this task.) Example: root:XXabcdefgh:0:1:Root:/:/bin/csh Becomes: root:##root:0:1:Root:/:/bin/csh Then in the file /etc/security/passwd.adjunct: Put entries of the form: username:oldpasswd::::: Example: root:XXabcdefgh::::: Now repeat this process for /etc/group, copying it to /etc/security/group.adjunct and modifying the second field to ##groupname. Example: wheel:*:1: Becomes: wheel:##wheel:1: Then in the file /etc/security/group.adjunct: Put entries of the form: groupname:oldpasswd:: Example: wheel:*:: You can leave behind any + notations and in fact should if you want the NIS accounts accessible on that machine. At the bottom of this document there is a handy script to automate the entire process of creating the security directories and splitting the password file in passwd and passwd.adjunct. Repeat this for the /var/yp/passwd and /var/yp/group files except this time the auxiliary file you create is /var/yp/security/passwd.adjunct and /var/yp/security/group.adjunct respectively. (4c) Set permissions on the adjunct file/directory: chmod 2711 /etc/security /var/yp/security chmod 600 /etc/security/passwd.adjunct /var/yp/security/passwd.adjunct chmod 600 /etc/security/group.adjunct /var/yp/security/group.adjunct chown root.staff /etc/security /var/yp/security /etc/security/passwd.adjunct \ /var/yp/security/passwd.adjunct /etc/security/group.adjunct \ /var/yp/security/group.adjunct (4d) Audit Accounts --- THIS MUST BE DONE whether or not you want to use the auditd Also you must add two local accounts and two more NIS accounts. In /etc/passwd and /var/yp/passwd add AUpwdauthd:##AUpwdauthd:29:10:::/bin/false AUyppasswdd:##AUyppasswdd:28:10:::/bin/false Add the following to /etc/security/passwd.adjunct and /var/yp/security/passwd.adjunct: AUpwdauthd:*::::: AUyppasswdd:*::::: IT IS VITAL THAT THESE TWO ACCOUNTS BE ADDED EXACTLY AS WRITTEN AND TO BOTH THE LOCAL and NIS source files otherwise you will not be able to login or change passwords. (5) Fix up the boot process: Next, edit the file /etc/rc.local, (5a) Comment out the lines where auditd is launched. NB: Edit out the whole if-then-fi statement, 3 lines. (5b) Change the line where rpc.yppasswd is launched to: /usr/etc/rpc.yppasswdd /var/yp/passwd \ /var/yp/security/passwd.adjunct -nogecos -m; echo -n ' yppasswd' Which insures that it knows about the shadow password file for NIS and will remake properly. Note: -nogecos prevents users >From changing their full name field. Sede man rpc.yppasswdd fpr a description of all flags. (5c) Double check that ypbind will start with -s: if [ -f /etc/security/passwd.adjunct ]; then ypbind -s; echo -n ' ypbind' else ypbind; echo -n ' ypbind' fi (6) Do a make in the /var/yp directory. (7) Then reboot and cross your fingers. NOTE: Because of the exsistance of /etc/security/passwd.adjunct the standard rc.local file will now start the mountd daemon without the -n option with makes it incompatible with NFS 3.0. Hence if you are going to be using the procedure described here with earlier NFS servers, you may need to change that portion of rc.local as well. Be sure to test that local accounts can log in and change passwords and then try an NIS account. (7) ON THE CLIENTS/SLAVE SERVERS: Install 100481-04 in full. [We are not sure if that is actually necessary] DO THE FOLLOWING with Patch 100564-07 Follow the steps listed in (4) for copying the appropriate static rpc.pwdauthd and rpc.yppasswdd, also follow the instructions for splitting out the passwd file, you can ignore anything having to do with the directory /var/yp on a client though. Be sure to add AUpwdauthd and AUyppasswdd as above to /etc/passwd and /etc/security/passwd.adjunct. Copy permission information about /etc/security and /etc/security/passwd.adjunct from above. As well as /etc/group and /etc/group.adjunct. Then disable the auditd in rc.local and reboot. Note: for slave servers, you may need to do a ypinit -s server.name to get a new copy of all the maps. Note: yppush will not push the new passwd.adjunct map. [This is intended.] %% SCRIPT TO AUTOMATE PASSWD-> passwd.adjunct conversion #!/bin/csh # # make.adj -- make modified passwd/group file & adjunct file # Jun 94 - tmk@Hawaii.Edu # # assumes: current directory is home of passwd/group maps # only used on SunOS 4.1.3 -- not tested for all types of systems # # Usage: make.adj passwd_file group_file # mkdir security awk -F: '{ if (substr($1,1,1) == "+") \ print $1":"$2":"$3":"$4":"$5":"$6":"$7 \ else \ print $1":##"$1":"$3":"$4":"$5":"$6":"$7 }' < $1 > $1.new awk -F: '{print $1":"$2":::::"}' < $1 > security/$1.adjunct mv $1 $1.shad.old mv $1.new $1 echo "AUpwdauthd:##AUpwdauthd:29:10:::/bin/false" >> $1 echo "AUyppasswdd:##AUyppasswdd:28:10:::/bin/false" >> $1 echo "AUpwdauthd:*:::::" >> security/$1.adjunct echo "AUyppasswdd:*:::::" >> security/$1.adjunct awk -F: '{ if (substr($1,1,1) == "+") \ print $1":"$2":"$3":"$4 \ else \ print $1":#$"$1":"$3":"$4 }' < $2 > $2.new awk -F: '{print $1":"$2}' < $2 > security/$2.adjunct mv $2 $2.shad.old mv $2.new $2 chown root.staff security passwd group \ security/passwd.adjunct security/group.adjunct chmod 2711 security chmod 600 security/passwd.adjunct security/group.adjunct chmod 700 security chmod 644 passwd group -- Erik Oliver eoliver@ralph.cs.haverford.edu