Bug 470002 - yppasswd uses weak password hash and ignores system-config-authentication
yppasswd uses weak password hash and ignores system-config-authentication
Product: Fedora
Classification: Fedora
Component: yp-tools (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Vitezslav Crhonek
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-05 02:37 EST by Dr. Tilmann Bubeck
Modified: 2008-11-07 04:18 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-07 04:18:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dr. Tilmann Bubeck 2008-11-05 02:37:44 EST
Description of problem:

Using "yppasswd" to change a password on a NIS server generates a password hash and enters it into /etc/shadow. But is uses the standard crypt password hash (outdated) and ignores my setting in system-config-authentication to use SHA512.

When I use "passwd" on the NIS server directly, then SHA512 will be used.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install NIS server
2. log into NIS client
3. change pw using yppasswd
4. Use "ypcat passwd" to see, that wrong hash function was used.

Actual results:
a crypt hashed password

Expected results:
A SHA512 hashed password

Additional info:
Comment 1 Vitezslav Crhonek 2008-11-07 04:18:08 EST

Yes, NIS is old and insecure by design. Users are advised to use newer and more secured software, e. g. LDAP.

From man yppasswd:

"In  the old days, the standard passwd(1), chfn(1) and chsh(1) tools could not be used under Linux to change the users NIS password, shell and GECOS information. For changing the NIS information, they were replaced by  their  NIS  counterparts, yppasswd, ypchfn and ypchsh.

Today, this versions are deprecated and should not be used any longer."

Note You need to log in before you can comment on or make changes to this bug.