3

I have a NIS master-slave setup and I would like to improve the password rules/complexity for it. Seems like if I introduce new rules to the NIS Master they are applicable only from there. What I mean: I want minimal password length of 9 characters. On the NIS master if I run 'passwd' it obeys this requirement. If I run 'yppasswd' it just go to the default 6 characters. If I use 'chage -d 0 user1' to force a user to change a password, the user is prompted only when login on the NIS Master. The user's old password is still good to login at NIS clients. All machines are running Ubuntu 9.10 or 10.04.

How I can strengthen yppasswd rules and make it warn users to change their passwords? Thank you all!

atx
  • 1,281
  • 1
  • 9
  • 25
grs
  • 2,235
  • 6
  • 28
  • 36

2 Answers2

1

Unfortunately (short of recompiling yppasswd and hard coding in your requirements), this cannot be accomplished as stated. I would submit that the yppasswd daemon should be disabled and no calls to yppasswd should be made. A much better approach is to configure your pam stack to handle native calls to passwd and push them through the appropriate authentication channels. Alternatively you can globally alias yppasswd to passwd -r nis (man password for individual arguments).

That'd be where I would start.

solid7
  • 159
  • 1
  • I think my best option is to move away from NIS. It seems like it reads only the first 8 characters and I want to avoid compiling it. Thanks! – grs Mar 19 '11 at 19:19
1

You can create a wrapper script that tests the password candidate, then runs your native yppasswd program if the test passes. On the upside, nothing gets recompiled, On the downside, the script has to be replicated to all nodes where yppasswd would be run.

A better solution is to manupulate PAM. This article (http://www.techrepublic.com/article/controlling-passwords-with-pam/1055267) shows you how.

JeffG
  • 1,184
  • 6
  • 18