Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Greg Hudson <ghudson@MIT.EDU>
From: Kevin P. Neal <kpneal@pobox.com>
List: tech-security
Date: 10/12/1998 17:28:21
At 11:02 AM 10/12/98 EDT, Greg Hudson wrote:
>> The problem is the Hesiod distribution only comes with the Hesiod
>> library routines which replace getpw*; they don't tell you how to
>> put those routines _in your operating system_, which is the really
>> tricky part.
>
>> Obviously, people have done this, but they either don't share their
>> work or it's in a non-obvious place.
>
>What we actually do at Athena is modify the login system to fetch
>Hesiod passwd entries and add them to the local passwd database. The
>code we use to do this is freely redistributable
>(http://web.mit.edu/afs/dev.mit.edu/source/src-current/athena/lib/al
>for starters) but no particular effort has been made to make it
>applicable to non-Athena sites, or to package it for external
>distribution.
NCSU did something very similar. A special login is installed on dialups.
When a user logs in they are added to /etc/passwd, tokens acquired, and
their home directory is attached (with the 'attach' command no less).
The reverse happens on logout.
A special xdm was actually written (not from scratch) to do the same deal on
a lab workstation.
They even added in code to support /etc/hosers.local to keep people off of
specific machines. Plus a form of ACLs is implemented in Hesiod records to
allow accounts to be granted access to large numbers of machines (example
groups include fall98, csc_f98, csc_staff, engr_f98). It's very cool.
For the longest time the source was a guarded secret. I'll look around and
see if I can find it.
Also,
>but no particular effort has been made to make it
>applicable to non-Athena sites, or to package it for external
>distribution.
Same deal at NCSU.
Oh, and similarities between Project Athena and NCSU's (the old name was)
"Project Eos" are no coincidence: I've got old books describing how NCSU
based it's system on Athena. I'm sure there's lots of divergence by now.
Does anybody else think it's pretty silly that admins everywhere have to
come up with this stuff at every site? How come nobody ever packaged it all
together?
--
Kevin P. Neal http://www.pobox.com/~kpn/
'You know, I think I can hear the machine screaming from here... \
"help me! hellpp meeeee!"' - Heather Flanagan, 14:52:23 Wed Jun 10 1998