NIS yppasswd 哈希值从 crypt 迁移到 md5
想象一个 NIS 用户数据库 /var/yp/input-files/passwd 由旧的 crypt DES 哈希组成。目的是将该数据库迁移到 md5 或 sha 哈希值。使用 yppasswd 更改密码时,它是使用与现有条目相同的算法生成的(可能是出于遗留原因),即 crypt 保持 crypt,md5 保持 md5。
我们当前的计划是编写一个包装 yppasswd 的特殊密码更改脚本。有没有更优雅的方法告诉 yppasswd 默认生成 md5 格式的更改密码?
Imagine a NIS user database /var/yp/input-files/passwd consisting of old crypt DES hashes. The aim is to migrate this database to md5 or sha hashes. When changing a password using yppasswd, it is generated using the same algorithm as for the existing entry (probably for legacy reasons), i.e. crypt stays crypt, md5 stays md5.
Our current plan is to write a special password change script wrapping yppasswd. Is there a more elegant way to tell yppasswd to generate changed passwords in md5 format by default?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我现在已经弄清楚了:
apt-get source nis。int main (int argc, char **argv)yppasswd 然后总是创建 md5 哈希值。
I figured it out by now:
apt-get source nisunder Debian.int has_md5_passwd = 0;byint has_md5_passwd = 1;in the beginning ofint main (int argc, char **argv)yppasswd then always creates md5 hashes.
最近的 Linux 发行版支持通过 PAM 更新 NIS 密码,这意味着您可以使用本地
passwd程序而不是yppasswd。这也意味着您可以配置哈希算法,而使用yppasswd仍然无法配置哈希算法(从 yp-tools 2.12 开始)。您的系统应该有一个
/etc/pam.d/passwd文件,该文件将包含或更可能引用另一个包含以下形式的行的文件:第二个字段可能不同,并且最后可能还有其他参数,但您需要加载
pam_unix.so的password行,并且它至少应该具有nis参数以及适合您的 NIS 服务器的散列函数(md5、sha256等)。但是,您的发行版可能有更好的配置方法,因此请确保您的更改不会被以后的自动化过程覆盖。
在 RedHat 衍生系统(至少包括 RHEL、CentOS、Scientific Linux 和 Fedora)上,您需要使用至少带有
--enablenis参数的authconfig程序。对于上述使用 MD5 哈希值的场景,以下命令行就足够了:在 Debian 系统(可能还有 Debian 衍生版本,但我目前无法检查)上,执行此操作的正确方法似乎是复制
/usr/share/pam-configs/unix到其他内容(例如,/usr/share/pam-configs/nis),编辑新文件以为其提供适当的设置和新的配置文件名称,然后运行 pam-auth-update,禁用“Unix 身份验证”配置文件并启用新的配置文件。Recent Linux distributions support NIS password updates through PAM, which means you can use the local
passwdprogram instead ofyppasswd. This also means that you can configure the hash algorithm, which is still (as of yp-tools 2.12) not possible withyppasswd.Your system should have an
/etc/pam.d/passwdfile, which will either contain or, more likely, refer to another file that contains a line of the form:The second field might differ, and there might be other parameters at the end, but you want the
passwordline that loadspam_unix.soand it should have at least thenisparameter as well as a hash function appropriate to your NIS server (md5,sha256, etc.)Your distribution might have a better way of configuring this, though, so make sure your changes aren't going to be overwritten by an automated process later.
On RedHat-derived systems (including at least RHEL, CentOS, Scientific Linux, and Fedora), you need to use the
authconfigprogram with at least the--enablenisparameter. For the above scenario with MD5 hashes, the following command line would be sufficient:On Debian systems (and possibly Debian derivatives, but I can't check at the moment), the proper way to do this appears to be to copy
/usr/share/pam-configs/unixto something else (say,/usr/share/pam-configs/nis), edit the new file to give it appropriate settings and a new profile name, then runpam-auth-update, disable the "Unix authentication" profile and enable your new profile.