Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!inferno.mpx.com.au!news.mel.aone.net.au!imci4!newsfeed.internetmci.com!news.msfc.nasa.gov!sol.ctr.columbia.edu!startide.ctr.columbia.edu!wpaul From: wpaul@ctr.columbia.edu (Bill Paul) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: YP/NIS on FreeBSD/Linux/NeXT Date: 20 Feb 1996 14:50:11 GMT Organization: Columbia University Center for Telecommunications Research Lines: 71 Message-ID: <4gcn33$on2@sol.ctr.columbia.edu> References: <4ffaq7$7jg@myntti.helsinki.fi> <4gb5l1$d34@uriah.heep.sax.de> NNTP-Posting-Host: startide.ctr.columbia.edu X-Newsreader: TIN [version 1.2 PL2] Daring to challenge the will of the almighty Leviam00se, J Wunsch (j@uriah.heep.sax.de) had the courage to say: : kjellman@cc.helsinki.fi (Janne P Kjellman) writes: : > Is there a difference in password coding with Free[BSD], Linux, : > etc?? : Most likely. According to the opinion of some US legal people, you : can apparently shoot someone with the beloved DES encryption code, : hence it accounts as ``ammunition'' and is restricted from being : exported out of US. (Even if it's written outside, you can import, : but not re-export it. Call it braindead if you want.) : Hence FreeBSD's default passwort encryption is not DES. (Most likely, : Linux' is neither, but i don't know.) Poul-Henning Kamp developed a : password encryption algorithm based on the MD5 algorithm. This one is : believed to be even stronger than DES, but naturally incompatible. : The positive effect is that MD5 counts as ``authentication'' software : only and is therefore not affected by the ammunition law. : For a non-US plug-in source of DES and all the other stuff around it, : have a look at ftp.internat.freebsd.org. Just FYI (I missed the start of this thread): FreeBSD's YP/NIS software will work just as well with either DES or MD5 passwords. However, you have to remember to stay consistent across the entire domain. This means that if some of the machines in your NIS domain use the DES crypt() function, then they all have to. If you're using nothing but FreeBSD machines on your network, they you don't really have to do anything special. But if you intend to mix, FreeBSD machines with commercial systems (Sun, SGI, HP. IBM. DEC, whatever) or Linux (with DES), then you need to install the DES libcrypt on the FreeBSD machines so they can all understand the same passwords. This is especially critical if your NIS master server is a FreeBSD machine: yppasswdd runs on the NIS master -- if it only understands MD5 passwords and it gets a request from a client that's using DES, it'll always return failure. Also, if you plan to use non-FreeBSD clients with FreeBSD servers, you will need to edit /var/yp/Makefile on the NIS master server and uncomment the line that says UNSECURE=True. If you don't to this, the passwd.bywhatever maps will have * in the password fields instead of valid encrtypted passwords. Technically is is possible to mix and match clients since FreeBSD uses a shadow password system that requires a second set of maps (they're called master.passwd.byname and master.passwd.byuid). What you could do is put MD5 passwords in the master.passwd maps and regular DES passwords in the standard passwd maps (which is what everybody else looks for). FreeBSD-current now has a 'dual personality' crypt() function that understands either password format, so provided you had the DES package installed on the NIS servers, you might be able to mix both types of systems. Unfortunately, there isn't a supported machanism in place to handle this at the moment. It's also tricky to do if you already have a set of encrypted passwords that you want to put into an NIS map; how are you going to convert them to DES if you don't know the original passwords. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= License error: The license for this .sig file has expired. You must obtain a new license key before any more witty phrases will appear in this space. =============================================================================