hi,
This may be of interest to you If you have Intel Linux systems and
Digital UNIX systems running at Enhanced (C2) security, and would like
them to be in the same NIS domain. If not, then it probably isn't.
I have made a set of modifications to the Linux C library (libc-4.6.27-6)
(a.out binary format) which allow Linux workstations to be clustered with
Digital UNIX systems running Enhanced Security via NIS. The new library
replaces the previous version (e.g. /lib/libc-4.6.27), and allows programs
like login, xdm, xlock etc... to access the prpasswd maps, without requiring
them to be recompiled. Just slot the library in, and away you go.
This was written in somewhat of a rush, so has been lightly tested.
(After we decided that upgrading our new DU servers to C2 security was a
'good idea', we found that all of our front-end workstations (Linux-i386
based) stopped working, because Linux knows nothing of DEC C2 security.
Feeling rather stupid at not spotting this before we upgraded all the
servers, we grabbed the linux library sources and started tinkering.
Surprisingly enough it does appear to work.)
Location;
ftp://mssly1.mssl.ucl.ac.uk/pub/linux/libc-c2/
Library binary Checksum = 27524 620 libc.so.4.6.27.c2 ( 634880 bytes)
Library Source Checksum = 07566 1881 libc-4.6.27-c2.tar.gz (1925879 bytes)
A shell script to install the library is there also called fix_libc. It
assumes the library lives in /lib and ldconfig lives in /sbin, which is
true for slackware 2.x type distributions.
Notes.
upside
1) tested between DU 3.2c Enhanced Security NIS master + Linux 1.2.13 (a.out)
2) no recompilation of system binaries required.
3) no modifications to the DU setup required.
4) Support for passwords > 8 characters using DEC's segmented password
encryption scheme, which is almost documented in the Security manual.
5) hands out prpasswd_nonsecure to non-root users, avoiding leakage of
encrypted passwords.
6) I'm not a digital employee, nor do I have any relationship with DEC
other than as a customer. I have had no access to any DU source code.
downside
1) Its a nasty hack at this stage.
2) No warranty express or implied, no acceptance of blame, use entirely at
your own risk, these changes are licensed under the same conditions
as the rest of the library, etc.
3) Audit trail information (last successful/unsuccessful login etc) is not
propagated back to NIS master.
4) Some binaries (xlock) need to be setuid root now to work. (consider this
carefully, as many such programs will not have been so designed.)
5) Password expiry/lifetime/etc controls not present/honoured. (requires
modifications to login/passwd binaries). This may also apply to locked
accounts too.
6) If you install this library, it is likely that "normal" ie BASE security
NIS server access will stop working.
7) NIS client code only. This does not affect /etc/passwd on Linux, nor
does it even start to address TCB/C2 issues on Linux.
I will probably produce an ELF version when we upgrade to ELF sometime
this spring/summer. By then these changes may have reached the main-line
of linux library development. Or then again, maybe not.
Two Comments for any DEC guys;
a) The Security Manual is badly written. The section on getting NIS and
C2 to work together is crap. It took us a long time to figure what
on earth was going on. A nice diagram like
Auth Database Local NIS
BASE /etc/passwd /var/yp/src/passwd
Enahnced /tcb/files/auth/* /var/yp/src/prpasswd
User info Database local NIS
BASE /etc/passwd /var/yp/src/passwd
Enhanced ?? /var/yp/src/passwd
Would have helped. We ended up having to delete all the /tcb entries
we made by hand. And that crummy script (Example 8-1) for making
prpasswd entries from /tcb/files should have been online (and it is
missing '\' characters on lines 3 and 4).
b) Cheap Alpha motherboards for running Linux (Same Price as a
Pentium 133/150)? Soon? All the ones Ive seen have been expensive.
(Dr Tom Blinn; I seem to recall you mentioning a pentium beater
several (many?) months ago. Is this still on the cards?)
Cheers,
andy.
--
atp_at_mssly1.mssl.ucl.ac.uk Andy Phillips
atp_at_mssl.ucl.ac.uk Mullard Space Science Laboratory,
phillips_at_isass1.solar.isas.ac.jp Dept. Space and Climate Physics,
mssly1::atp University College London.
Received on Sat Feb 17 1996 - 23:28:05 NZDT