Using the SunOS 4.0 shadow password file

Tue May 8 00:01:13 AEST 1990

Here's an update on what I've written on installing sun's C2 security
shadow password file.  Thanks to William LeFebvre and Ole Holm Nielsen for
their comments.

Could this be placed in the archives?

[[Ed's Note: Placed in archives as requested. -bdg]]

FTP:	Hostname : titan.rice.edu (128.42.1.30)
	Directory: sun-spots
	Filename : shadow.howto

Archive Server Address: archive-server at rice.edu
Archive Server Command: send sun-spots shadow.howto

Jason Heirtzler           (617) 353-2780       jdh at bu-pub.bu.edu
Information Technology    Boston University    ..!bu.edu!bu-pub!jdh  

---- 8<  Cut Here >8 ------

HOW TO SET UP A "LOOK ASIDE" PASSWORD FILE UNDER SUNOS 4.0

Make a backup copy of /etc/{passwd,group}

If you haven't already selected the "C2 security software" option from
suninstall when you installed your machine, you will need to do so.   This
I haven't verified myself, but people who didn't select it said they were
missing some files.

If you have sun source, create the directory /etc/security and protect it
mode 711.  You should modify rpc.yppasswdd and change it to force the
passwd.adjunct file to be created mode 600; the way it comes from sun it
will create the file 644 (obviously a bad thing)

If you don't have sun source, and you don't mind installing binaries that
have been built by someone else, anon FTP to bu.edu (128.197.2.6) and pick
up the file binary/security/rpc.yppasswdd

Otherwise, create the directory /etc/security mode 700.  This will cause
the function issecure(3) to always return false for users other than root,
but I haven't seen any adverse affects (yet.)  Neither have I tested it
much, though.  The reason that all of this is needed is that the issecure
looks like

	#define PASSWD_ADJ  "/etc/security/passwd.adjunct"
	issecure() {               
	        return(( access(PASSWD_ADJ, F_OK) == 0);
	}

ie. if /etc/security isn't readable, then return "secure" !

	bu-foo# ls -lga /etc/security
	total 24
	drwx--s--x  2 root     wheel         512 Mar 27 15:29 ./
	drwxr-sr-x  6 root     wheel        3584 Mar 27 04:46 ../
	-rw-------  1 root     wheel          62 Feb 27 13:00 group.adjunct
	-rw-------  1 root     wheel       10193 Mar 27 15:28 passwd.adjunct

Each entry from /etc/passwd has the encrypted password text commented out
and replaced with the magic token "##user" (the passwd routines now know
how to handle this new format)

	jdh:##jdh:3000:4940:Jason Heirtzler,x2780:/usr1/it/jdh:/bin/csh

There is a entry in /etc/security/passwd.adjunct that contains the actual
encrypted text

	jdh:aZw5eQq5n0o3k:::::

Make sure "rpc.pwdauthd" starts from rc.local on both the yp master AND
the yp clients (it starts right after rpc.lockd on our machine)

On the YP client, the passwd file ends as it usually does -- with the
string "+::0:0:::".  The client also has it's own passwd.adjunct file (in
it's own /etc/security dir mode 711)

Ours looks like this

	root:GmXib0plXHJiY:::::
	nobody:*:::::
	daemon:*:::::
	sys:*:::::
	bin:*:::::
	uucp:*:::::
	news:*:::::
	ingres:*:::::
	sync::::::
	sysdiag:*:::::
	+::0:0:::

The group file mirrors the way the passwd file is setup (here the magic
token is different "#$user").

	seven:#$seven:7:jdh,budd

and each entry in group.adjunct looks like this (there is only colon per
line.)

	seven:*

Some SunOS 3 programs had to be recompiled to work correctly (anything
that uses the getpw???() stuff?), although nothing we built under 4.0 had
problems after we made the switch.

passwd.adjunct & group.adjunct are YP maps.  There is one minor syntax
error in /var/yp/Makefile -- a missing single quote in the c2secure rule.
It should be changed to read

   make 'NOPUSH=$(NOPUSH)' passwd.adjunct.time group.adjunct.time;\

Good luck!

Jason Heirtzler
Information Technology
Boston University