h29355 s 00010/00013/00206 d D 1.6 98/07/20 15:36:12 clyde 6 5 c Update with latest stuff, spell check e s 00011/00002/00208 d D 1.5 98/07/16 09:09:23 clyde 5 4 c Update OS notes e s 00002/00003/00208 d D 1.4 98/07/08 09:37:19 clyde 4 3 c Minor revisions e s 00061/00017/00150 d D 1.3 98/07/02 15:43:24 clyde 3 2 c Suck in old "Open Issues" text e s 00005/00001/00162 d D 1.2 98/06/26 09:56:22 clyde 2 1 c Fix signature e s 00163/00000/00000 d D 1.1 98/06/24 17:15:25 clyde 1 0 c date and time created 98/06/24 17:15:25 by clyde e u U f e 0 t T I 1
D 3The following table lists the features and UNIX systems that npasswd is known to support.
E 3 I 3UNIX platforms and features which npasswd is known to support:
E 3 D 3UNIX platform | Supported features |
---|---|
SunOS 5 (Solaris 2) |
Shadow passwords NIS passwords |
SunOS 4 (Solaris 1) |
Adjunct passwords Secure RPC NIS passwords |
Digital UNIX (OSF/1) 3.X and 4.X |
Enhanced security NIS passwords |
HP-UX |
D 3
Enhanced security E 3 I 3 Enhanced security* E 3 NIS passwords |
AIX 4 |
D 3
Shadow passwords E 3 I 3 Shadow passwords* E 3 NIS passwords |
*See below |
D 5 Npasswd does not support Solaris 2 NIS+. E 5 I 5 D 6 Npasswd does not support NIS+. E 6 I 6 Npasswd does not support NIS+. E 6 E 5
Getting passwords out of NIS+ is easy, and even updating them is straightforward. NIS+ credentials are complicated to manage.
It is possible but not a good idea to have the login password and the NIS+ key phrase be different. Hence, when the login password is changed, the key phrase should be updated. The API for doing this has changed in every version of Solaris, and was undocumented.
There is an application which does this (nisaddcred), but either takes the key phrase from the command line or reads it from /dev/tty. Neither choice is suitable for use by npasswd. D 6
Probably the Pluggable Authentication Module (PAM) facility D 4 could be used to do this. Once again, documentation of this API is scarce. E 4 I 4 could be used to do this. E 6 E 4 E 3
D 4 Support for changing shadow passwords is included, but has been only lightly tested. E 4 I 4 Support for shadow passwords is included, but has been only lightly tested. E 4
AIX 4.1 has many password restrictions which can be set per-user or system wide. These include lexical requirements, dictionary searches (though not nearly as vigorous that done by npasswd) and a hook for external password check modules. Judicious use of these restrictions should result in passwords which are harder to crack. I 3
You may desire to tune these password restrictions first before converting to npasswd. E 3 D 3 I suggest that you tune the system password restrictions first before using npasswd. E 3
The words lists from this distribution could be used as password check dictionaries. D 6
A future release may have a password check module which can be inserted into the external password check hook. E 6
There are a number of other password restrictions available on AIX 4, D 6 and a password history mechansim, none of which are supported by npasswd.
Password history in a NIS map (or NIS+ table) would work much better for a cluster, rather than sharing a history file with NFS. One approach would be to define an RPC service to query and update password history, and provide a daemon, which would be started at boot time on the system having the password file.
The major UNIX vendors have security facilities which should facilitate the development of programs such as npasswd. The mechanisms are often complex, sometimes the API is not well documented, nor is sample code available.
Hence, npasswd makes minimal use of such facilities.
D 2
Manual Home
E 2
I 2
Top
Home
E 2
I 2 E 2
Document id %Z% %M% %I%
Version %I%
Last modified %G%