We wanted to implement "shadow" passwords, so that the Hashed password would not be visible to normal users when they use ypmatch to look at a passwd entry. So that 'root' could still see the Hash and check the password, we arranged that the server would return the hash only to requests from "privileged" port (< 1024). Only root can send requests from these ports (on the machines we trusted).
Ofcourse, not all clients with a genuine need to check passwords with request the NIS entry from a privileged port, so all the cases had to be found and fixed.
Fortunately we are a largely Linux shop, and Linux is fairly easiy to fix. Other platforms that we currently have to support are Mac OSX, and Sparc Solaris (only 3 of these fortunately).
Some things "just worked". In particular any process running as root on Linux would do the yp_match with a privileged port so, they get the information they need. The problem areas were:
- xscreensaver, which doesn't run as root
- apache mod_auth_yp which doesn't run as root
- Solaris PAM, which doesn't use a privileged port
The first two were solved with the help of cyrus-sasl, and saslauthd in particular.
saslauthd will listed on a unix-domain socket for username/password/service/realm information, and will do the password checking as root, and return as simple pass/fail status. This allows any process to do username/password checking, as long as the socket is somewhere accessable.
I wrote a simple pam module that calls into saslauthd using sasl_checkpass. I then configured this in the pam.d file for xscreensaver. With this in-place, xscreensaver works.
As we had compiled mod_auth_yp from source ourselves anyway, I patched it to talk directly to saslauthd. This made apache password checking work.
Solaris PAM as really awkward. Solaris has multiple libraries for RPC, making sure the right ones were used was harder than it should be (we had to do the yp lookup with raw RPC calls in order to use a privileged socket). However that eventually worked and now ssh to Solaris works with shadowed passwords works ok.
ssh to OSX works out-of-the-box. That only leaves console login (which we have already hacked to work with MD5 hashes) and it should all be done.
Then we update the way passwords are changed (as shadowing is selected on a per-password basis in our server) and everything should be dandy.