[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: password aging with solaris

To: donna@rosevax.rosemount.com (Donna L. Butler), sage-members@usenix.org
Subject: Re: password aging with solaris
From: John Orthoefer <jco@bbnplanet.com>
Date: Sun, 30 Aug 1998 19:47:36 -0400
In-Reply-To: <199808271457.JAA12655@endeavor.ep.frco.com>
Sender: owner-sage-members@usenix.org

The deal is that NIS is little more than a way to push flat files around
between systems.  The version of BSD that SunOS was based on didn't have
password aging or shadow password files, so the programs don't know how to
handle the info if they where passed it. 

When you set up NIS on solaris (a version of the OS that knows about things
like password aging), NIS doesn't have the channels to comunicate the extra
info. Since it's only giving you information that you would understand if
your an ols SunOS box.

There are 2 ways to do what you want.
	o set up NIS+
	o hack it

Since you said you don't want to go to NIS+ (which I understand, I don't
know how many times I locked our users our when I was trying to figure out
NIS+)  

So that leaves you with hack it.  There are several ways to hack it (here
are the two branches I can think of right now.)
	o use depot or something like that to push out passwd/shadow files
	  pros: gives you all the features of password aging (like warnings on login)
	  cons: having a user change a password and reintgrating it is hard
	o build a database which you make the NIS tables out of
	  ie: the system looks like this.
	     Database -> report -> NIS files
	  pros: gives you the same system you have
	  cons: you don't get warnings from login

So then the question becomes what does you enviroment look like.   If it's
mostly people logging into work stations though dtlogin or something, then
method 2 wins as you can write a little client that runs every time you
login (and maybe stays running and rechecks every so often) and doesn't do
anything if your okay on your password.  But if your in the warn/deactivate
it flashes a message or something.

If your a login in tty mode shop, then you most likly want to use something
like method 1 since support for warning and everything is built in to
/bin/login.

johno

At 09:57 AM 8/27/98 -0500, Donna L. Butler wrote:
>We have the need to implement password aging within our Solaris
>environment using NIS (not NIS+). We understand we can do this
>with local /etc/shadow files, but this is impractical and we 
>want to do this with NIS. Sun states "officially" this can't be
>done using normal aging within straight NIS.
>
>Has anyone come up with a work around or method for accomplishing
>this -possibly the use of a third party product?

References:
- password aging with solaris
  - From: donna@rosevax.rosemount.com (Donna L. Butler)

Prev by Date: Re: password aging with solaris
Next by Date: naming restrictions for multi-homed hosts
Prev by thread: Re: password aging with solaris
Next by thread: naming restrictions for multi-homed hosts
Index(es):
- Date
- Thread