Bug 87458

Summary: passwd may modify nis passwd using wrong encryption scheme
Product: [Fedora] Fedora Reporter: Ian Mortimer <i.mortimer>
Component: passwdAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-07 16:46:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ian Mortimer 2003-03-27 02:20:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
/usr/bin/passwd will recognise a nis account and modify the nis password  but it
uses the encryption scheme of the local machine which might not match the scheme
on the nis server.

For example if the localhost is using MD5 passwords but the NIS server is using
crypt, using /usr/bin/password to change the NIS password will result in an MD5
encrypted password on the NIS server.  While logins on the localhost will still
succeed, logins on other hosts on the network will fail unless they can also
handle MD5 encrypted passwords.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.setup a nis server serving crypt passwords
2.setup a nis client with MD5 passwords
3.login to the client as a NIS account and change the password with /usr/bin/passwd

Actual Results:  The password on the NIS server will be MD5 encrypted

Expected Results:  The password should be encrypted according to the scheme on
the server not on any clients.

Additional info:

yppasswd works correctly.  It will produce crypt passwords on the NIS server
even if run from a host configured with MD5 passwords.

It's often necessary to have crypt passwords on a NIS server for
interoperability with other Unix variants.  On the other hand it's desirable to
use MD5 passwords on clients to protect the root password and any other non NIS
account passwords.

Comment 1 Tomas Mraz 2005-04-07 16:46:11 UTC
This would be too hard to get right. And a workaround is pretty simple - either
setup the client machines to use the same type of passwords or remove the nis
option from /etc/pam.d/system-auth on the client machines -> passwd will not
change the NIS passwords at all and tell the users to use yppasswd.