diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-01-19 07:37:46 +0200 |
|---|---|---|
| committer | Alexander Bokovoy <abokovoy@redhat.com> | 2016-01-26 13:38:44 +0200 |
| commit | 5eaad9c4c218d9a59f6930a29f5bee54235c4fab (patch) | |
| tree | f9be439428244f346be96c989cd2a712f1f83ba3 | |
| parent | 3aaf4941fc17df388c43776eda6d41f62017a143 (diff) | |
| download | slapi-nis-5eaad9c4c218d9a59f6930a29f5bee54235c4fab.tar.gz slapi-nis-5eaad9c4c218d9a59f6930a29f5bee54235c4fab.tar.xz slapi-nis-5eaad9c4c218d9a59f6930a29f5bee54235c4fab.zip | |
nis: lock out accounts if nsAccountLock is TRUE
Add a rule that adds two bang characters in front of the password.
When the password algorithm is defined as CRYPT and NIS is used to
authenticate users on other systems, there is no way to disable or lock
accounts. Traditional convention has been to put two bang (exclamation)
characters in front of the password, creating an impossible password
hash. This effectively locks the user account, preventing
authentication.
All UNIX systems agree that for encrypted passwords presence of a
character which cannot be part of CRYPT password scheme renders
impossible to login to system with such password. However, not all
systems have meaning of locked accounts and even how these locked
accounts express themselves.
There is certain controversy in what could be used to indicate locked
accounts:
- GNU/Linux systems expect '!' as first character of the password field
- FreeBSD expects '*LOCKED*' string at start of the password field
- Various Solaris versions expect '*LOCK*' string at start of the
password field
- NetBSD has no meaning of locked passwords via content of password field
Given that it is impossible to serve NIS maps with encrypted passwords
in a different way to different clients, standardize on '!!' scheme as
traditional among UNIX administrators.
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1298478
| -rw-r--r-- | src/defs-nis.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/defs-nis.c b/src/defs-nis.c index 3d2b9e9..ad0e7dc 100644 --- a/src/defs-nis.c +++ b/src/defs-nis.c @@ -52,17 +52,17 @@ static struct configuration { {"passwd.byname", config_exact, FALSE, NULL, "(objectClass=posixAccount)", "%{uid}", NULL, - "%{uid}:%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL, + "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL, ":\r\n"}, {"passwd.byuid", config_exact, FALSE, NULL, "(objectClass=posixAccount)", "%{uidNumber}", NULL, - "%{uid}:%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL, + "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%ifeq(\"objectClass\",\"shadowAccount\",\"x\",\"%regsubi(\\\"%{userPassword}\\\",\\\"^\\\\\\\\{CRYPT\\\\\\\\}(..*)\\\",\\\"%1\\\",\\\"*\\\")\"):%regmatch(\"%{uidNumber}\",\"[0-9]+\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%{gecos:-%{cn:-}}:%{homeDirectory:-/}:%{loginShell:-" _PATH_BSHELL "}", NULL, ":\r\n"}, {"shadow.byname", config_exact, TRUE, NULL, "(objectClass=shadowAccount)", "%{uid}", NULL, - "%{uid}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{shadowLastChange:-}:%{shadowMin:-}:%{shadowMax:-}:%{shadowWarning:-}:%{shadowInactive:-}:%{shadowExpire:-}:%{shadowFlag:-}", NULL, + "%{uid}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{shadowLastChange:-}:%{shadowMin:-}:%{shadowMax:-}:%{shadowWarning:-}:%{shadowInactive:-}:%{shadowExpire:-}:%{shadowFlag:-}", NULL, ":\r\n"}, {"passwd.adjunct.byname", config_exact, TRUE, NULL, "(objectClass=shadowAccount)", @@ -72,12 +72,12 @@ static struct configuration { {"group.byname", config_exact, FALSE, NULL, "(objectClass=posixGroup)", "%{cn}", NULL, - "%{cn}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL, + "%{cn}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%regmatch(\"%{gidNumber}\",\"[0-9]+\"):%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL, ":,\r\n"}, {"group.bygid", config_exact, FALSE, NULL, "(objectClass=posixGroup)", "%{gidNumber}", NULL, - "%{cn}:%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{gidNumber}:%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL, + "%{cn}:%ifeq(\"nsAccountLock\",\"TRUE\",\"!!\",\"\")%regsubi(\"%{userPassword}\",\"^\\\\{CRYPT\\\\}(..*)\",\"%1\",\"*\"):%{gidNumber}:%merge(\",\",\"%{memberUid}\",\"%deref_r(\\\"member\\\",\\\"uid\\\")\",\"%deref_r(\\\"uniqueMember\\\",\\\"uid\\\")\")", NULL, ":,\r\n"}, {"netgroup", config_exact, FALSE, NULL, "(objectClass=nisNetgroup)", |