354 lines
6.3 KiB
HTML
354 lines
6.3 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Changing passwords with rpasswd </TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="The Linux NIS(YP)/NYS/NIS+ HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Surviving a Reboot"
|
|
HREF="reboot.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Common Problems and Troubleshooting NIS
|
|
|
|
|
|
"
|
|
HREF="troubleshooting.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Linux NIS(YP)/NYS/NIS+ HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="reboot.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="troubleshooting.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="RPASSWDD"
|
|
></A
|
|
>13. Changing passwords with rpasswd </H1
|
|
><P
|
|
>The standard way to change a NIS password is to call
|
|
<B
|
|
CLASS="COMMAND"
|
|
>yppasswd</B
|
|
>, on some systems this is only
|
|
an alias for <B
|
|
CLASS="COMMAND"
|
|
>passwd</B
|
|
>. This commands uses
|
|
the yppasswd protocol and needs a running
|
|
<B
|
|
CLASS="COMMAND"
|
|
>rpc.yppasswdd</B
|
|
> process on the NIS master
|
|
server. The protocol has the disadvantage, that the old
|
|
password will be send in clear text over the network.
|
|
This is not so problematic, if the password change was
|
|
successfull. In this case, the old password is replaced
|
|
with the new one. But if the password change fails, an attacker
|
|
can use the clear password to login as this user.
|
|
Even more worse: If the system administrator changes the
|
|
NIS password for another user, the root password of the NIS
|
|
master server is transfered in clear text over the network.
|
|
And this one will not be changed.</P
|
|
><P
|
|
>One solution is to not use yppasswd for changing the password.
|
|
Instead, a good alternative is the <B
|
|
CLASS="COMMAND"
|
|
>rpasswd</B
|
|
>
|
|
command from the <TT
|
|
CLASS="LITERAL"
|
|
>pwdutils</TT
|
|
> package.</P
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> Site Directory File Name
|
|
|
|
ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz
|
|
ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2
|
|
ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>rpasswd</B
|
|
> changes passwords for user accounts on
|
|
a remote server over a secure SSL connection. A normal user may
|
|
only change the password for their own account, if the user knows
|
|
the password of the administrator account (in the moment this is
|
|
the root password on the server), he may change the password for
|
|
any account if he calls <B
|
|
CLASS="COMMAND"
|
|
>rpasswd</B
|
|
> with the -a option.</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN624"
|
|
></A
|
|
>13.1. Server Configuration </H2
|
|
><P
|
|
>For the server you need at first certificate, the default filename
|
|
for this is <TT
|
|
CLASS="FILENAME"
|
|
>/etc/rpasswdd.pem</TT
|
|
>. The file can be
|
|
created with the following command:
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>A PAM configuration file for <B
|
|
CLASS="COMMAND"
|
|
>rpasswdd</B
|
|
> is needed,
|
|
too. If the NIS accounts are stored in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/passwd</TT
|
|
>,
|
|
the following is a good starting point for a working configuration:
|
|
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>#%PAM-1.0
|
|
auth required pam_unix2.so
|
|
account required pam_unix2.so
|
|
password required pam_pwcheck.so
|
|
password required pam_unix2.so use_first_pass use_authtok
|
|
password required pam_make.so /var/yp
|
|
session required pam_unix2.so</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>If sources for the NIS password maps are stored in another
|
|
location (for example in /etc/yp), the <TT
|
|
CLASS="LITERAL"
|
|
>nisdir</TT
|
|
>
|
|
option of pam_unix2 can be used to find the source files in another place:
|
|
|
|
<TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>#%PAM-1.0
|
|
auth required pam_unix2.so
|
|
account required pam_unix2.so
|
|
password required pam_pwcheck.so nisdir=/etc/yp
|
|
password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok
|
|
password required pam_make.so /var/yp
|
|
session required pam_unix2.so</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>Now start the <B
|
|
CLASS="COMMAND"
|
|
>rpasswdd</B
|
|
> daemon on the NIS master server.</P
|
|
><P
|
|
>Since the password change is done with PAM modules,
|
|
<B
|
|
CLASS="COMMAND"
|
|
>rpasswdd</B
|
|
> is also able to allow password changes
|
|
for NIS+, LDAP or other services supported by a PAM module.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="AEN642"
|
|
></A
|
|
>13.2. Client Configuration </H2
|
|
><P
|
|
>On every client only the configuration file
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/rpasswd.conf</TT
|
|
> which contains the name
|
|
of the server is neded. If the server does not run on the default
|
|
port, the correct port can alse be mentioned here:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># rpasswdd runs on master.example.com
|
|
server master.example.com
|
|
# Port 774 is the default port
|
|
port 774</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="reboot.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="troubleshooting.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Surviving a Reboot</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Common Problems and Troubleshooting NIS
|
|
|
|
</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |