Setting up the NIS Master with Shadow Passwords under Sun OS 4.1.3

(THIS DOCUMENT IS BASED ON OUR OWN EXPERIENCES WITH SETUP
 NO GUARANTEES ARE MADE TO ITS SUITABILITY FOR USE AT OTHER
 SITES.  OR ITS CORRECTNESS.)

Author: Erik Oliver, eoliver@ralph.cs.haverford.edu
	Based on work done for Haverford College Academic Computing
	Center

Special thanks to:
  Tom M. Kroeger of University of Hawaii Computing Center, tmk@hawaii.edu
  for his script for automating the conversion and his note about the
  implied incompatibility w/ older NFS servers because of the way
  rc.local is written.

This document describes steps to setup shadow passwords on a network
of Sun Workstations running 4.1.2 and 4.1.3 using NIS to obtain
passwords.

This technique avoids the full process of setting up C2 security, but
offers all of the benefits of shadowed passwords, including shadowed
passwords over NIS.


STEP BY STEP:

(1) Obtain Sun Patches: 100564-05 and 100482-04.

Assumptions:
	/etc/passwd contains local accounts and passwords
	/var/yp contains a file named passwd with the NIS accounts and passwds
	on the NIS Master, and the Makefile in /var/yp is suitably
	configured for this location.

(2) Setup NIS normally without shadowing based on this information,
    your /var/yp/Makefile on the NIS Master should have the line with:
	DIR=/etc
    reading
	DIR=/var/yp

This will enable it to use /var/yp as the origin of the source files
rather than /etc.

(3) Install patch 100482-04, this contains new versions of
ypserv, ypxfrd, and portmap, this is not directly related
to setting up shadowed passwords but it fixes some security
problems and will allow you to use the file /var/yp/securenets
to restrict map access to specific subnets.

In our case we have /var/yp/securenets:
#
# /var/yp/sercurenets file
#
# The format of this file is one of more lines of
#
# netmask netaddr
# Both netmask and netaddr must be dotted quads.
#
# for example:
255.255.255.0 165.82.1.0

This means only machines in 165.82.1.X can request maps, etc.

(4) Next install patch 100564-07 as follows:
** NOTE: YOU ARE NOT GOING TO FOLLOW THE PATCH INSTRUCTIONS LETTER
FOR LETTER HERE, FOLLOW THESE INSTRUCTIONS VERY PRECISELY TO GET
THINGS TO WORK **

(4a) Copy the new static versions of rpc.pwdauthd and rpc.yppasswdd
into /usr/etc as instructed on the last page of the patch
instructions.

(4b) Then you must modify the passwd file as follows, remove all
entries from the passwd field, second field, of /etc/passwd and
replace it with ##username.  (You might want to copy passwd to
security/passwd.adjunct or use an awk script to accomplish this task.)

Example:
	root:XXabcdefgh:0:1:Root:/:/bin/csh
Becomes:
	root:##root:0:1:Root:/:/bin/csh

Then in the file /etc/security/passwd.adjunct:
Put entries of the form:
username:oldpasswd:::::

Example:
root:XXabcdefgh:::::

Now repeat this process for /etc/group, copying it to
/etc/security/group.adjunct and modifying the second field to
##groupname.

Example:
wheel:*:1:
Becomes:
wheel:##wheel:1:

Then in the file /etc/security/group.adjunct:
Put entries of the form:
groupname:oldpasswd::
Example:
wheel:*::

You can leave behind any + notations and in fact should if you want
the NIS accounts accessible on that machine.

At the bottom of this document there is a handy script to
automate the entire process of creating the security directories and
splitting the password file in passwd and passwd.adjunct.

Repeat this for the /var/yp/passwd and /var/yp/group files except this
time the auxiliary file you create is /var/yp/security/passwd.adjunct
and /var/yp/security/group.adjunct respectively.

(4c) Set permissions on the adjunct file/directory:
chmod 2711 /etc/security /var/yp/security
chmod 600 /etc/security/passwd.adjunct /var/yp/security/passwd.adjunct
chmod 600 /etc/security/group.adjunct /var/yp/security/group.adjunct
chown root.staff /etc/security /var/yp/security /etc/security/passwd.adjunct \
	/var/yp/security/passwd.adjunct /etc/security/group.adjunct \
	/var/yp/security/group.adjunct


(4d) Audit Accounts --- THIS MUST BE DONE whether or not you want
	to use the auditd

Also you must add two local accounts and two more NIS accounts. In
/etc/passwd and /var/yp/passwd add

AUpwdauthd:##AUpwdauthd:29:10:::/bin/false
AUyppasswdd:##AUyppasswdd:28:10:::/bin/false

Add the following to /etc/security/passwd.adjunct and
/var/yp/security/passwd.adjunct:

AUpwdauthd:*:::::
AUyppasswdd:*:::::

IT IS VITAL THAT THESE TWO ACCOUNTS BE ADDED EXACTLY AS WRITTEN
AND TO BOTH THE LOCAL and NIS source files otherwise you will
not be able to login or change passwords.

(5) Fix up the boot process:
Next, edit the file /etc/rc.local,

(5a) Comment out the lines where auditd is launched.
	NB: Edit out the whole if-then-fi statement, 3 lines.

(5b) Change the line where rpc.yppasswd is launched to:
  /usr/etc/rpc.yppasswdd /var/yp/passwd \
    /var/yp/security/passwd.adjunct -nogecos  -m; echo -n ' yppasswd'
Which insures that it knows about the shadow password file
for NIS and will remake properly. Note: -nogecos prevents users
>From changing their full name field.  Sede man rpc.yppasswdd
fpr a description of all flags.

(5c) Double check that ypbind will start with -s:
	if [ -f /etc/security/passwd.adjunct ]; then
		ypbind -s;	echo -n ' ypbind'
	else
		ypbind;		echo -n ' ypbind'
	fi

(6) Do a make in the /var/yp directory.

(7) Then reboot and cross your fingers.

NOTE: Because of the exsistance of /etc/security/passwd.adjunct the
standard rc.local file will now start the mountd daemon without the -n
option with makes it incompatible with NFS 3.0.  Hence
if you are going to be using the procedure described here with earlier
NFS servers, you may need to change that portion of rc.local as well.

Be sure to test that local accounts can log in and change passwords
and then try an NIS account.

(7) ON THE CLIENTS/SLAVE SERVERS:

Install 100481-04 in full. [We are not sure if that is actually necessary]
DO THE FOLLOWING with Patch 100564-07
Follow the steps listed in (4) for copying the appropriate
static rpc.pwdauthd and rpc.yppasswdd, also follow the instructions
for splitting out the passwd file, you can ignore anything
having to do with the directory /var/yp on a client though.
Be sure to add AUpwdauthd and AUyppasswdd as above to /etc/passwd
and /etc/security/passwd.adjunct.

Copy permission information about /etc/security and
/etc/security/passwd.adjunct from above.  As well as /etc/group and
/etc/group.adjunct.

Then disable the auditd in rc.local and reboot.

Note: for slave servers, you may need to do a ypinit -s server.name to
get a new copy of all the maps.  Note: yppush will not push the new
passwd.adjunct map. [This is intended.]

%% SCRIPT TO AUTOMATE PASSWD-> passwd.adjunct conversion
#!/bin/csh
#
#   make.adj -- make modified passwd/group file & adjunct file
#					Jun 94 - tmk@Hawaii.Edu
#
#   assumes: current directory is home of passwd/group maps
#	only used on SunOS 4.1.3 -- not tested for all types of systems
#
#  Usage: make.adj passwd_file group_file
#
mkdir security
awk -F: '{ if (substr($1,1,1) == "+") \
             print $1":"$2":"$3":"$4":"$5":"$6":"$7  \
            else \
             print $1":##"$1":"$3":"$4":"$5":"$6":"$7 }' < $1 > $1.new
awk -F: '{print $1":"$2":::::"}' < $1 > security/$1.adjunct
mv $1 $1.shad.old
mv $1.new $1

echo "AUpwdauthd:##AUpwdauthd:29:10:::/bin/false" >> $1         
echo "AUyppasswdd:##AUyppasswdd:28:10:::/bin/false" >> $1
echo "AUpwdauthd:*:::::" >> security/$1.adjunct
echo "AUyppasswdd:*:::::" >> security/$1.adjunct

awk -F: '{  if (substr($1,1,1) == "+") \
		print $1":"$2":"$3":"$4  \
	     else \
		print $1":#$"$1":"$3":"$4  }' < $2 > $2.new
awk -F: '{print $1":"$2}' < $2 > security/$2.adjunct
mv $2 $2.shad.old
mv $2.new $2

chown root.staff security passwd  group \
		security/passwd.adjunct security/group.adjunct
chmod 2711 security
chmod 600 security/passwd.adjunct security/group.adjunct
chmod 700 security
chmod 644 passwd group 
-- 
     Erik Oliver                            eoliver@ralph.cs.haverford.edu