|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
From 5eaad9c4c218d9a59f6930a29f5bee54235c4fab Mon Sep 17 00:00:00 2001
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
Date: Tue, 19 Jan 2016 07:37:46 +0200
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
Subject: [PATCH 10/12] nis: lock out accounts if nsAccountLock is TRUE
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
Add a rule that adds two bang characters in front of the password.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
When the password algorithm is defined as CRYPT and NIS is used to
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
authenticate users on other systems, there is no way to disable or lock
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
accounts. Traditional convention has been to put two bang (exclamation)
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
characters in front of the password, creating an impossible password
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
hash. This effectively locks the user account, preventing
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
authentication.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
All UNIX systems agree that for encrypted passwords presence of a
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
character which cannot be part of CRYPT password scheme renders
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
impossible to login to system with such password. However, not all
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
systems have meaning of locked accounts and even how these locked
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
accounts express themselves.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
There is certain controversy in what could be used to indicate locked
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
accounts:
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- GNU/Linux systems expect '!' as first character of the password field
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- FreeBSD expects '*LOCKED*' string at start of the password field
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- Various Solaris versions expect '*LOCK*' string at start of the
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
password field
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- NetBSD has no meaning of locked passwords via content of password field
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
Given that it is impossible to serve NIS maps with encrypted passwords
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
in a different way to different clients, standardize on '!!' scheme as
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
traditional among UNIX administrators.
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1298478
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
---
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
src/defs-nis.c | 10 +++++-----
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
diff --git a/src/defs-nis.c b/src/defs-nis.c
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
index 3d2b9e9..ad0e7dc 100644
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
--- a/src/defs-nis.c
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+++ b/src/defs-nis.c
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
@@ -52,17 +52,17 @@ static struct configuration {
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"passwd.byname", config_exact, FALSE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=posixAccount)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"%{uid}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- "%{uid}:%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+ "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
":\r\n"},
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"passwd.byuid", config_exact, FALSE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=posixAccount)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"%{uidNumber}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- "%{uid}:%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+ "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
":\r\n"},
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"shadow.byname", config_exact, TRUE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=shadowAccount)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"%{uid}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- "%{uid}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{shadowLastChange:-}:%{shadowMin:-}:%{shadowMax:-}:%{shadowWarning:-}:%{shadowInactive:-}:%{shadowExpire:-}:%{shadowFlag:-}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+ "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{shadowLastChange:-}:%{shadowMin:-}:%{shadowMax:-}:%{shadowWarning:-}:%{shadowInactive:-}:%{shadowExpire:-}:%{shadowFlag:-}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
":\r\n"},
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"passwd.adjunct.byname", config_exact, TRUE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=shadowAccount)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
@@ -72,12 +72,12 @@ static struct configuration {
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"group.byname", config_exact, FALSE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=posixGroup)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"%{cn}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- "%{cn}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+ "%{cn}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
":,\r\n"},
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"group.bygid", config_exact, FALSE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=posixGroup)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"%{gidNumber}", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
- "%{cn}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{gidNumber}:%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
+ "%{cn}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{gidNumber}:%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
":,\r\n"},
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
{"netgroup", config_exact, FALSE, NULL,
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
"(objectClass=nisNetgroup)",
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
--
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
2.5.0
|
|
![](https://seccdn.libravatar.org/avatar/eca4d0658e293ac828929c05684948cb411ba891fa2ad2130aafa91b664e89ad?s=16&d=retro) |
6b9042 |
|