Re: [netatalk-admins] Change Passwords

Subject: Re: [netatalk-admins] Change Passwords
From: PayPC System Mail Subscriber (spammail@quanta.paypc.com)
Date: Sat Jan 30 1999 - 07:21:06 EST

• Next message: Brian Reid: "[netatalk-admins] help me find the afpd code... ?"
• Previous message: Brian C Burke: "[netatalk-admins] netatalk printer goes offline"
• In reply to: Stephen Waters: "Re: [netatalk-admins] Change Passwords"
• Next in thread: Jamie Biggar: "Re: [netatalk-admins] Change Passwords"
• Reply: PayPC System Mail Subscriber: "Re: [netatalk-admins] Change Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephen Waters said in Re: [netatalk-admins] Change Passwords at 29/Jan/1999
(Fri) 03:03:57.

> is there someplace where i can get documentation on how to do this? i've
> just been using cleartext, but this would make things at least feel a
> little safer. i mean, do you need a UAM, how does this work w/ PAM, etc.
>
> my version of netatalk: netatalk-1.4b2+asun2.1.2-1.rpm for RH5.2/i386

I have no idea about PAM or UAM stuff, but assuming you link against a crypto
library (mentioned in the top-level makefile for netatalk), the rand2num
authentication method just works. (I use Slack 2.0.33+ Linux myself, though
I have SSLeay, whose shared libs I have about 7 or 8 different things using
[fast optimised crypto routines, which I replace the normal system crypt()
with]). The AFP authentication scheme relies on DES to encrypt randum
numbers as part of the login process.

Alas, since the /etc/shadow (or /etc/passwd) scheme in UNIX is a one-way
hashstore encrypted with salted data, it cannot be used in rand2num
authentication schemes. So... the passwords for the accounts *must* be
stored on the server. Netatalk+asun stores the (in-the-clear) password in
each user's home directory. (~/.passwd) Netatalk has extremely strict
requirements about how that file's permissions are setup. It *MUST* be 0600,
owned by the user, and the group must be the user's primary GID. (This last
requirement is a bit of a puzzler, since the file's 0600).

Anynow, I'm sure someone could whip up a quickie script to pre-create these
.passwd files in each user's home directory, if you have many users. But if
you only have a few, it's probably simpler to do something like this:

su
(enter root pw)
echo "temppass" > /home/user1/.passwd
chown user1:hisgroup /home/user1/.passwd
chmod 0600 /home/user1/.passwd

And so on... I don't know if Adrian's included a batch .passwd file setter
upper or not...

But anyhow, do FORCE your users to change their passwords, and while it may
be a bit of a pain, ensure they do not match their unix account passwords.
(With samba, this isn't a worry, since the passwords are stored encrypted,
though NT "security" has other problems which make me ask the same of my
Winbloze users.)

Anyhow. Once that's done, be sure your shares are -rand2num. I recommend
-noguest and -setpassword. Voila! You're done. All Appleshare clients
PREFER that UAM over the inferior cleartext UAM, and it's been a part of
Appleshare since Day One (I think).

The *BIG* problem with AFP logins, is that it can't really "backdown" in
authentication. If the server advertises rand2num, it cannot "fallback" to
cleartext if rand2num fails.

=Rob=

• Next message: Brian Reid: "[netatalk-admins] help me find the afpd code... ?"
• Previous message: Brian C Burke: "[netatalk-admins] netatalk printer goes offline"
• In reply to: Stephen Waters: "Re: [netatalk-admins] Change Passwords"
• Next in thread: Jamie Biggar: "Re: [netatalk-admins] Change Passwords"
• Reply: PayPC System Mail Subscriber: "Re: [netatalk-admins] Change Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:16:16 EST