Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: Greg Hudson <ghudson@MIT.EDU>
List: tech-security
Date: 10/12/1998 11:02:37
> The problem is the Hesiod distribution only comes with the Hesiod
> library routines which replace getpw*; they don't tell you how to
> put those routines _in your operating system_, which is the really
> tricky part.

> Obviously, people have done this, but they either don't share their
> work or it's in a non-obvious place.

What we actually do at Athena is modify the login system to fetch
Hesiod passwd entries and add them to the local passwd database.  The
code we use to do this is freely redistributable
(http://web.mit.edu/afs/dev.mit.edu/source/src-current/athena/lib/al
for starters) but no particular effort has been made to make it
applicable to non-Athena sites, or to package it for external
distribution.

This approach has some minor problems: it asumes that you have an
authoritative local passwd file in /etc/master.passwd.local, so a
machine administrator can't edit the passwd file with the usual
utilities (we provide a wrapper around "passwd" to help out).  Also,
we've had occasional problems where programs like sendmail will try to
do a passwd lookup after the user has logged out and been removed from
the passwd database.

I'm hoping that, some day, most operating systems will provide either
Hesiod support or adequate hooks in their getpw*() functions.  Then
people could use Hesiod just like they use yp now.  Right now I think
only Solaris and Linux (with glibc) have adequate hooks, and nobody
has native Hesiod support.  I despair of ever seeing anything adequate
in operating systems like IRIX.