Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) Radius & NIS+



> I've tried on the machine as root and the machine is Solaris 2.6, the
> passwd in nsswitch.conf is files nisplus. Here is the out come when I
> try getent:
> 
> # getent passwd john  
> john:*NP*:1572:260:Wan Kai Wah:/u/j/john:/bin/tcsh
> 
> It seems that root can't get the encrypted password so that radius
> can't authenticate users!

Ah, NIS+...

NIS+ is intended to work as follows:

When a user authenticates, the authentication subsystem first retreives
the user's NIS+_ credentials from the cred.org_dir table. This includes
the encrypted DES key for the user.

The user's secret key is then decrypted using the password supplied. If
this process is successful, then we can now use Secure RPC (Remote
Procedure Calls) with the user's credentials.

Now we read the passwd entry from the passwd.org_dir table. The user
(remember, we can use Secure RPC in the name of the user now) can read
her/his own password (yes, even though root can't). Now the user can
be authenticated just as if we got the passwd entry from /etc/passwd
and /etc/shadow.

In this way, even root can not read other users' passwords or other
users' files (if using Secure NFS too). The goal is that you can have
machines spread all over, on untrusted people's desktops, etc.. without
compromising your security.

Unfortunately, almost no third party software knows about this. Like
radiusd, they just attempt to do a getpwnam() get getspnam() on the
user in order to perform authentication and expect it to work.

What you need to do is allow root on your RADIUS server (and your
other server machine too, while you're at it) to have full disclosure
of the passwd.org_dir table. Here's how:

1. Assign a group owner to the passwd.org_dir table. You can check if
there already is one with 'niscat -o passwd.org_dir | grep "^Group"'.
Use nischgrp to make the assignment. You can use the admin.<your-domain>
group that usually already exists or another one you create via
nisgrpadm.

2. Put the RADIUS server into that NIS+ group. Check the current
members first with "nisgrpadm -l <group>.<domain>".

3. Set the group permissions of the passwd.org_dir table to allow
access by this group. (These permissions are similar to the middle
three bits of file permissions).

nischmod g+r passwd.org_dir

I may have missed something, but this should definately get you most of
the way there.

-Phil
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>