FreeRadius-0.4 breaks compatibility with Solaris running YP in compatibility mode, by changing the when shadow password lookups are performed using the system call getspnam().
I have attached two patches.
The first attached patch adds a bunch of debugging to rlm_unix's shadow
password section (about line 510), and changes the code's style to allow for
such debugging, and adds a kludge to workaround Solaris NIS/YP running with
shadow passwords.
When Solaris 2.5+ is running in YP compatibility mode with shadow passwords
enabled on the YP server, the clients expect to see ##userid in the password
field. The most important bit is the client must see ## as the first two
characters to trigger the shadow lookup.
I have not looked at the coding style guide, nor have I verified in any
other way that this patch is:
- safe to use
- safely applies to the source tree
- has no negative impact on execution on non-solaris machines
I might suggest that the decision logic as to whether to look at the shadow
file should be different than it is -- any invalid character in the first
two characters cause the shadow (getspnam) function to be called.
>From crypt(3C) on Solaris:
The key argument points to a string to be encoded (for exam-
ple, the user's password.) Only the first eight characters
are used; the rest are ignored. The salt is a two-character
string chosen from the set [a-zA-Z0-9./]. This string is
used to perturb the hashing algorithm in one of 4096 dif-
ferent ways.
I suggest therefore that the presence of anything other than these
characters cause an error. The only notable exception is $.
---
Roy Hooper
Project Manager & Senior UNIX Consultant
Decisive Technologies, Inc.
[EMAIL PROTECTED]
rlm_unix.c.patch
Description: Binary data
rlm_unix.c.patch2
Description: Binary data
