NIS中一个奇怪的问题，关于用户的密码

geriwolf

环境是这样，我配置了一个NIS，master server是Solaris 9，client有Solaris 8、Solaris 9和Solaris 10的机器，\r\n最近新加了一些Linux/CentOS系统的client到NIS中\r\n\r\n问题是在Linux的client上登录了NIS里的账号后，用passwd命令对该账号进行密码修改，之后发现这些账号在Solaris 8的机器上无法登陆，输入正确的密码后提示Login incorrect，但是在Solaris 9和10以及Linux的机器上登录都是正常的。\r\n\r\n后来我去master上看了下shadow文件，发现修改过密码的账户其密码散列变长了，\r\n原来是：user:kOyapkBQBYG8I:14383::::::\r\n变成了：user1$FF60WEDx$82x11MJbuwcQclmASqsmal:14383::::::\r\n\r\n我清空密码散列，重置密码，甚至删除用户重新创建，都不能在Solaris 8上登录，而且只要用passwd设置了密码，散列长度就会变成长的那种，变不回短的了。\r\n\r\n怀疑是不是Solaris 8的密码加密算法和9&10不一样，或者说9&10能够兼容linux的，8不兼容？但是手动清空了密码散列还是不行，还有什么文件遗留在哪些地方吗？现在想要能够在Solaris 8上登录上去，而且最好将shadow中的密码散列变成之前短的那种。\r\n\r\n如何解决呢？

bxwz2004

同意你的分析\r\n\r\nsolaris 8 用的是DES 的Hash算法对password 加密， 现在新的OS大多用MD5或 blowfish 的hash 算法。\r\n你的是MD5 （$1$开头) blowfish是（$2a$）开头\r\n\r\n没有在S8 上试过MD5 \r\n到sun 网站查一下有没有相关的S8安全补丁安装MD5\r\nhttp://sunsolve.sun.com/show.do?target=patches/patch-access\r\n选Recommended Patch Clusters 试试

geriwolf

谢谢楼上的答复！\r\n\r\n网上搜到这个信息，copy过来share一下，根据其所说，我在linux上执行了\r\nauthconfig --disablemd5 --useshadow --kickstart\r\n后用passwd重置下密码，shadow文件中的散列值就变成了DES加密的了，就是短的那种了，问题解决！\r\n\r\nTheo Van Dinter wrote:\r\n> On Sat, Oct 15, 2005 at 05:04:48PM -0700, Mike Noble wrote:\r\n> \r\n>>I would like to know if there is any way to make the Linux and Solaris\r\n>>work together with out producing problems, therefore a user can change\r\n>>their password on either Solaris or Linux.  If moving the NIS master and\r\n>>slaves to Linux will fix the problem then I will be more than willing to\r\n>>do it.\r\n> \r\n> \r\n> My understanding of how things work is that the client encrypts the\r\n> password before sending it to the master (verified via ltrace).\r\n> So the OS of the master really doesn\'t matter.  It\'s worth\r\n> mentioning that Solaris 9 seems to support the MD5 hashes:\r\n> http://docs.sun.com/app/docs/doc/816-4883/6mb2joasj?a=view\r\n> \r\n> I had to deal with this at work once (Solaris 2.6 - 9 and various Linux\r\n> varients), but it\'s been so long I forget the details.  My recollection\r\n> is that basically you disable MD5 authentication altogether (you can\r\n> still verify MD5 passwords, but new/changed passwords will be DES --\r\n> even for local accounts).\r\n> \r\n> For all my new Linux machines, I use kickstart, and just make sure the\r\n> config doesn\'t enable md5.\r\n> \r\n> For already existing systems, my notes indicate that I ran:\r\n>         authconfig --disablemd5 --useshadow --kickstart\r\n> \r\n> A detail I haven\'t quite figured out yet is that some of my boxes have md5\r\n> enabled, but yppasswd does DES.  Strange.\r\n\r\nBy forcing the users to use yppasswd will solve the problem.  This is\r\neasily done by removing the x bit from other on the linux boxes.\r\n\r\nNow does anybody know of problems with having a Linux (RHEL4 WS) as an\r\nNIS slave to a Master running on Solaris 9?\r\n\r\nThanks,\r\nMike\r\n> \r\n> Hope this helps. \r\n>

huanglm1986

学习了，对于solaris8了解的不多，现在基本用的都是10了