|Summary:||passwd may modify nis passwd using wrong encryption scheme|
|Product:||[Fedora] Fedora||Reporter:||Ian Mortimer <i.mortimer>|
|Component:||passwd||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED WONTFIX||QA Contact:||Mike McLean <mikem>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-04-07 16:46:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Ian Mortimer 2003-03-27 02:20:37 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 Description of problem: /usr/bin/passwd will recognise a nis account and modify the nis password but it uses the encryption scheme of the local machine which might not match the scheme on the nis server. For example if the localhost is using MD5 passwords but the NIS server is using crypt, using /usr/bin/password to change the NIS password will result in an MD5 encrypted password on the NIS server. While logins on the localhost will still succeed, logins on other hosts on the network will fail unless they can also handle MD5 encrypted passwords. Version-Release number of selected component (if applicable): 0.67-3 How reproducible: Always Steps to Reproduce: 1.setup a nis server serving crypt passwords 2.setup a nis client with MD5 passwords 3.login to the client as a NIS account and change the password with /usr/bin/passwd Actual Results: The password on the NIS server will be MD5 encrypted Expected Results: The password should be encrypted according to the scheme on the server not on any clients. Additional info: yppasswd works correctly. It will produce crypt passwords on the NIS server even if run from a host configured with MD5 passwords. It's often necessary to have crypt passwords on a NIS server for interoperability with other Unix variants. On the other hand it's desirable to use MD5 passwords on clients to protect the root password and any other non NIS account passwords.
Comment 1 Tomas Mraz 2005-04-07 16:46:11 UTC
This would be too hard to get right. And a workaround is pretty simple - either setup the client machines to use the same type of passwords or remove the nis option from /etc/pam.d/system-auth on the client machines -> passwd will not change the NIS passwords at all and tell the users to use yppasswd.