home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.unix.ultrix
- Path: sparky!uunet!cis.ohio-state.edu!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!destroyer!ubc-cs!alberta!kakwa.ucs.ualberta.ca!acs.ucalgary.ca!honte.uleth.ca!xi.uleth.ca!senetza
- From: senetza@xi.uleth.ca (Len Senetza)
- Subject: Hesiod, Kerberos, and Password Changing (Oh My!)
- Message-ID: <senetza.711740927@honte>
- Sender: news@honte.uleth.ca (News System)
- Organization: University of Lethbridge
- Date: 21 Jul 92 17:48:47 GMT
- Lines: 33
-
- We found an interesting problem the other day. On our main server (the one
- with hesiod, kerberos and whatnot) we found that we could change passwords.
- In itsself this is expected, but not the way we had it set up. Our
- /etc/svc.conf file had the following lines in it:
-
- auth=local,bind
- passwd=local
-
- This stopped people from logging in (we're a University lab and don't want
- students exploring the server) and I wrote a shell script to change passwords
- which would modify the passwd=local line to include bind.
-
- We found that you could do
-
- # passwd smith
-
- and have smith's password changed. Even without the passwd file being
- distributed by bind. After changing the auth=local,bind line to exclude bind,
- we could not change passwords anymore (without my script).
-
- The big question is "Why could we change passwords in the first place?" How
- could a lookup be done to retrieve the auth id number without the passwd
- database?
-
- --
- +-----------------------------------------------------------------------+
- | Leonard Senetza | E-Mail: senetza@alpha.uleth.ca |
- | Academic Consultant | senetza@hg.uleth.ca |
- | University of Lethbridge | Phone: 403-329-5162 FAX: 403-382-7108 |
- | Lethbridge, Alberta |-----------------------------------------|
- | Canada, eh? | Disclaimer: Why should I tell _them_? |
- | T1K 3M4 | What they don't know, can't fire me. |
- +-----------------------------------------------------------------------+
-
