Red Hat Bugzilla – Bug 87458
passwd may modify nis passwd using wrong encryption scheme
Last modified: 2007-11-30 17:10:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
Description of problem:
/usr/bin/passwd will recognise a nis account and modify the nis password but it
uses the encryption scheme of the local machine which might not match the scheme
on the nis server.
For example if the localhost is using MD5 passwords but the NIS server is using
crypt, using /usr/bin/password to change the NIS password will result in an MD5
encrypted password on the NIS server. While logins on the localhost will still
succeed, logins on other hosts on the network will fail unless they can also
handle MD5 encrypted passwords.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.setup a nis server serving crypt passwords
2.setup a nis client with MD5 passwords
3.login to the client as a NIS account and change the password with /usr/bin/passwd
Actual Results: The password on the NIS server will be MD5 encrypted
Expected Results: The password should be encrypted according to the scheme on
the server not on any clients.
yppasswd works correctly. It will produce crypt passwords on the NIS server
even if run from a host configured with MD5 passwords.
It's often necessary to have crypt passwords on a NIS server for
interoperability with other Unix variants. On the other hand it's desirable to
use MD5 passwords on clients to protect the root password and any other non NIS
This would be too hard to get right. And a workaround is pretty simple - either
setup the client machines to use the same type of passwords or remove the nis
option from /etc/pam.d/system-auth on the client machines -> passwd will not
change the NIS passwords at all and tell the users to use yppasswd.