I see that hash value (md5) is defenitly different for those password (I replaced actual string for demonstration. So still have same questions why those 2 different length passwords works ?
And here is output from requested files, sorry it took me while to migrate to another system for security reasons.
Code:
bash-3.00$ cat /etc/pam.d/system-auth /etc/nsswitch.conf
# =====================================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_lsass.so try_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/pam_lsass.so unknown_ok
account sufficient /lib/security/pam_lsass.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password sufficient /lib/security/pam_lsass.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
#
# =====================================================================
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# ldap Use LDAP (only if nss_ldap is installed)
# nisplus or nis+ Use NIS+ (NIS version 3), unsupported
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files ldap nis
#shadow: db files ldap nis
#group: db files ldap nis
passwd: files lsass
shadow: files
group: files lsass
#hosts: db files ldap nis dns
hosts: files dns
# Example - obey only what ldap tells us...
#services: ldap [NOTFOUND=return] files
#networks: ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc: ldap [NOTFOUND=return] files
#ethers: ldap [NOTFOUND=return] files
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
Hi,
I cud find entries for user's named nobody and noaccess in the passwd file in the Unix system in which I am working ... I have seen entries for these in other systems too ....
What is the significance for nobody and noaccess ... ?? Anything special ?? Can anyone help ??
Thanks &... (1 Reply)
From what I have read it possible to create a new group by editing the etc/group and etc/passwd in UNIX two files but a non-experienced user may face many problems such as destroying the file by mistake ot that his changes to these file does not make any difference.
However, there is this... (2 Replies)
i wonder if there is a tool to read the /etc/passwd or /etc/shadow files in order to reset user accounts to the same one.
By moving (restore) all filessytem and data to another same Sun box, none of the users are able to logon to the new box which i didn't change nothing. But if i reset the user... (1 Reply)
I'm trying to make this work, and it half works. Accounts with password hashes matching the old crypt(3) algorithm work just fine:
JUpfW/w6jo6aw
But accounts with longer password hashes preceded by $1$, such as the following, do not work:
$1$iIcbppdP$HDyjJeVMGgJ.ovLsnjtTR.... (0 Replies)
Hi Folks,
I have Solaris 10, latest release.
We have passwd aging set in /etc/defalut/passwd.
I have an account that passwd should never expire. Acheived by emptying associated users shadow file entries for passwd aging.
When I reset the users passwd using passwd command, it re enables... (3 Replies)
Hi , can anyone explain me the difference between /etc/shadow and /etc/default/passwd . As per my knowledge both the files are used for password aging and control parameters. (2 Replies)
Hi all..
I moved the /etc/shadow and /etc/shadow files to /tmp and then rebooted my PARC machine running 5.10. I did it to see if I could recover from single user mode.
But, I forgot to enable the abort key-sequence which I earlier disabled.
Stuck!
One of my gurus told I had to... (9 Replies)
Hi,
I have a Solaris 10 box where password aging is not functioning properly. Using the passwd command with the -l or -u options causes the lastchg field in the /etc/shadow file to be modified. Therefore, if a user's password is set to expire in 90 days and they are 1 day away, all they have... (4 Replies)
I am running the ETL job to passing the database username,pssswd positional arguments to shell script (bash) and how can we suppress/hide the password from ps command. (2 Replies)
Discussion started by: pimmit22043
2 Replies
LEARN ABOUT LINUX
nsswitch.conf
NSSWITCH.CONF(5) Linux Programmer's Manual NSSWITCH.CONF(5)NAME
nsswitch.conf - System Databases and Name Service Switch configuration file
DESCRIPTION
Various functions in the C Library need to be configured to work correctly in the local environment. Traditionally, this was done by using
files (e.g., /etc/passwd), but other nameservices (like the Network Information Service (NIS) and the Domain Name Service (DNS)) became
popular, and were hacked into the C library, usually with a fixed search order.
The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6) contain a cleaner solution of this problem. It is designed after a
method used by Sun Microsystems in the C library of Solaris 2. We follow their name and call this scheme "Name Service Switch" (NSS). The
sources for the "databases" and their lookup order are specified in the /etc/nsswitch.conf file.
The following databases are available in the NSS:
aliases
Mail aliases, used by sendmail(8). Presently ignored.
ethers Ethernet numbers.
group Groups of users, used by getgrent(3) functions.
hosts Host names and numbers, used by gethostbyname(3) and similar functions.
netgroup
Network wide list of hosts and users, used for access rules. C libraries before glibc 2.1 only support netgroups over NIS.
networks
Network names and numbers, used by getnetent(3) functions.
passwd User passwords, used by getpwent(3) functions.
protocols
Network protocols, used by getprotoent(3) functions.
publickey
Public and secret keys for Secure_RPC used by NFS and NIS+.
rpc Remote procedure call names and numbers, used by getrpcbyname(3) and similar functions.
services
Network services, used by getservent(3) functions.
shadow Shadow user passwords, used by getspnam(3).
An example /etc/nsswitch.conf (namely, the default used when /etc/nsswitch.conf is missing):
passwd: compat
group: compat
shadow: compat
hosts: dns [!UNAVAIL=return] files
networks: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
services: nis [NOTFOUND=return] files
The first column is the database. The rest of the line specifies how the lookup process works. You can specify the way it works for each
database individually.
The configuration specification for each database can contain two different items:
* The service specification like `files', `db', or `nis'.
* The reaction on lookup result like `[NOTFOUND=return]'.
For libc5 with NYS, the allowed service specifications are `files', `nis', and `nisplus'. For hosts, you could specify `dns' as extra ser-
vice, for passwd and group `compat', but not for shadow.
For glibc, you must have a file called /lib/libnss_SERVICE.so.X for every SERVICE you are using. On a standard installation, you could use
`files', `db', `nis', and `nisplus'. For hosts, you could specify `dns' as extra service, for passwd, group, and shadow `compat'. These
services will not be used by libc5 with NYS. The version number X is 1 for glibc 2.0 and 2 for glibc 2.1.
The second item in the specification gives the user much finer control on the lookup process. Action items are placed between two service
names and are written within brackets. The general form is
`[' ( `!'? STATUS `=' ACTION )+ `]'
where
STATUS => success | notfound | unavail | tryagain
ACTION => return | continue
The case of the keywords is insignificant. The STATUS values are the results of a call to a lookup function of a specific service. They
mean:
success
No error occurred and the wanted entry is returned. The default action for this is `return'.
notfound
The lookup process works ok but the needed value was not found. The default action is `continue'.
unavail
The service is permanently unavailable. This can either mean the needed file is not available, or, for DNS, the server is not
available or does not allow queries. The default action is `continue'.
tryagain
The service is temporarily unavailable. This could mean a file is locked or a server currently cannot accept more connections. The
default action is `continue'.
Interaction with +/- syntax (compat mode)
Linux libc5 without NYS does not have the name service switch but does allow the user some policy control. In /etc/passwd you could have
entries of the form +user or +@netgroup (include the specified user from the NIS passwd map), -user or -@netgroup (exclude the specified
user), and + (include every user, except the excluded ones, from the NIS passwd map).
You can override certain passwd fields for a particular user from the NIS passwd map by using the extended form of +user:::::: in
/etc/passwd. Non-empty fields override information in the NIS passwd map.
Since most people only put a + at the end of /etc/passwd to include everything from NIS, the switch provides a faster alternative for this
case (`passwd: files nis') which doesn't require the single + entry in /etc/passwd, /etc/group, and /etc/shadow. If this is not suffi-
cient, the NSS `compat' service provides full +/- semantics. By default, the source is `nis', but this may be overridden by specifying
`nisplus' as source for the pseudo-databases passwd_compat, group_compat and shadow_compat. These pseudo-databases are only available in
GNU C Library.
FILES
A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib.
/etc/nsswitch.conf configuration file
/lib/libnss_compat.so.X implements `compat' source for glibc2
/lib/libnss_db.so.X implements `db' source for glibc2
/lib/libnss_dns.so.X implements `dns' source for glibc2
/lib/libnss_files.so.X implements `files' source for glibc2
/lib/libnss_hesiod.so.X implements `hesiod' source for glibc2
/lib/libnss_nis.so.X implements `nis' source for glibc2
/lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1
NOTES
Within each process that uses nsswitch.conf, the entire file is read only once; if the file is later changed, the process will continue
using the old configuration.
With Solaris, it isn't possible to link programs using the NSS Service statically. With Linux, this is no problem.
On a Debian system other mail transport agents may or may not ignore the aliases file. For example, unlike sendmail Exim does not ignore
it.
COLOPHON
This page is part of release 3.27 of the Linux man-pages project. A description of the project, and information about reporting bugs, can
be found at http://www.kernel.org/doc/man-pages/.
Linux 1999-01-17 NSSWITCH.CONF(5)
09-22-2011
