1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • need we support unshadowed passwords from the installer

    From nick black@21:1/5 to All on Sat Jan 14 03:20:01 2023
    it's 2023 and imho time to stop supporting unshadowed passwords
    from the installer.

    https://salsa.debian.org/installer-team/user-setup/-/merge_requests/5

    1) nis (and possibly conserver?) seem the primary drivers of an
    unshadowed passwd.=20

    let me freely admit that, despite the advanced age of forty-two
    (seventy-eight in UNIX years), that i know nothing about nis/yp
    except that there was a big o'reilly book about it back when one
    read the security book with the big safe on the front and the
    scripting book with the big drill. i suspect it's basically a
    halfway point between syncing /etc/passwd and /etc/hosts with
    cron+rsh, and hiring someone on whom you can inflict ldap? so
    please correct me wherever i'm woefully ignorant.

    ...but it appears that NIS can be made to work with shadowed
    passwords (though without their benefits). this is from a
    cursory reading of a FAQ last updated in 2003, so take it with a
    grain of salt. the "linux network administrators [sic] guide"
    seems to confirm this, and can also help you set up IPX or UUCP.

    2) it seems that the unshadowing of passwords is only a
    "/sbin/shadowconfig off" away. somewhere down the long road, we
    appear to have lost shadowconfig.8, but this is what i gather
    from web searches.

    i'd almost suggest this might want to go into the "nis"
    package, avoiding "why do we even have that lever"
    situations, but i resolutely oppose feature creep for this MR.

    3) if someone accidentally selects this during install, i can't
    think of any means by which they'd find out during the course of
    typical systems administration.

    4) i don't have to answer this question in any other installer
    i've used in the past decade, i'm pretty certain.

    5) arch appears to support NIS without any mention of shadowing?
    though admittedly that wiki page is "somewhat unfinished"[0]

    6) fedora has recently discussed eliminating NIS support
    entirely. it's a done deal in RHEL.

    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    --rigorously, nick

    [0] https://wiki.archlinux.org/title/NIS

    --
    nick black -=- https://www.nick-black.com
    to make an apple pie from scratch,
    you need first invent a universe.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEmi//dHmU4oe+xCLxX0NADCHL+swFAmPCD1wACgkQX0NADCHL +szjaA/+IiUL3l2hWB0b0i9glQrEtWyyYI5Qsd8mjj3ap2NNwJOBEFeuVu6UwbnP t8O6k9DIvRmtw13aykxRrZQfJL87SJnPU5rlufXuoQglv9kpqxdJcYSJAraHRNhd 043dlVSCxtSsQr92AMiM68+cJsYypC3VL/Peuh5s4z6T8x7LTv4vIMrCxspugqYD rsTxTy+TvlGcOrRFhqpZZRa/am6kQA2f5k37CEbZxZ1KT+6eux9Z2HVEfFXzA/+U Ptxaqs5JCfR8NBPcPjBTOr4N61miCJvNknJJEFbsdx8J51i6lV813wqHZKf3oSrR 3Y77Z8ML90pbkg4IE0J5m38fB6Ox4XBzDYhtPDE3shhnzpXPgCo69cremYQsLOZt 6gcLpzpoCsZIxSA0P6acrE1ZaJ7zCSr5SkoqulnzWLBFzOLR63+JXwk7bmK2RjQM WGt/mGosiS5buXjRFzxV1ivnMRyEP0TEEv77vf3+H6MF3TEKdAvZOmCvQd7eue1K htkKDeHbsNMQY/0uljay4FHCqBHfY9e/NvBgsPb0OD+BwSlU9/3oo40ju6C5qIE8 fhU91Ns3YOLdYwTWQTqrxK7Ix6q2qfKaqb08fu7QXV4ImorGVnWpxEeBODy6oz7T T8tlw6mK6pEClnQV5uca4Xe8dl0mCflL//57jrhv0YPA0hYAj7o=
    =UgH/
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet G
  • From Marc Haber@21:1/5 to [email protected] on Sat Jan 14 10:00:01 2023
    On Fri, 13 Jan 2023 21:11:40 -0500, nick black
    <[email protected]> wrote:
    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    Amen. NIS-based systems usually have professional administrators who
    are well able to change the configuration.

    Greetings
    Marc
    --
    -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " |
    Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Pentchev@21:1/5 to nick black on Sat Jan 14 13:20:01 2023
    On Fri, Jan 13, 2023 at 09:11:40PM -0500, nick black wrote:
    it's 2023 and imho time to stop supporting unshadowed passwords
    from the installer.

    https://salsa.debian.org/installer-team/user-setup/-/merge_requests/5

    1) nis (and possibly conserver?) seem the primary drivers of an
    unshadowed passwd.=20

    let me freely admit that, despite the advanced age of forty-two (seventy-eight in UNIX years), that i know nothing about nis/yp
    except that there was a big o'reilly book about it back when one
    read the security book with the big safe on the front and the
    scripting book with the big drill. i suspect it's basically a
    halfway point between syncing /etc/passwd and /etc/hosts with
    cron+rsh, and hiring someone on whom you can inflict ldap? so
    please correct me wherever i'm woefully ignorant.

    ...but it appears that NIS can be made to work with shadowed
    passwords (though without their benefits). this is from a
    cursory reading of a FAQ last updated in 2003, so take it with a
    grain of salt. the "linux network administrators [sic] guide"
    seems to confirm this, and can also help you set up IPX or UUCP.
    [snip]
    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    I know what NIS/YP is, I know of a couple of places where it is
    still in use, and, as Mark Haber said, the people running those
    places know how to find and flip a switch.

    G'luck,
    Peter

    --
    Peter Pentchev [email protected] [email protected] [email protected]
    PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmPCm84ACgkQZR7vsCUn 3xMI6hAAulWKuT5eaThgz44XdVwoZnOEHWBeT/vsIW6bMPYZ7TBAQxWtfv9kl4r9 fYzD6bbBUQQ+fCaQDVJULwZH69M1+6phxXs1ekUwiW7VKv6pLno1ZHOGMy8d+x+4 xhJUfu3CMiCfgmLII7a6So+webKliayXgW1/1qYiwZbdEPAVh94fQEY5312Ra6ve GeLI7AF8Ljb1dS/6h79c7Hy9ydZO+qfaqQOmbWzVHPRwTogcbj6c2cHZqvmU1Rzu Nel5FcXtEqGik1SLXOpaz4GTrZtVQ5g6K+Yk4ktQQxgOhAdG9kmo4yOJ1s4u8FRr 8IQaGvuCTPaENm7cvO4BVBFfGvDoVxPngvanNLGw7lHwij25keiUg7kes7RYMS6H XhUh1gM4XaGyFPsy3Nf43ukouW9HKtoT/RdDA9277D0F1SaQOcuKwaaC+Bj7COlM SKeVKQaN3FIRC8c6vpzuh2lUF4CjrlXOszMVFtPvkkcWxAPLu75tb5D8kwqFxhGe zmkA3wOV3L1sKuDr3joWhSjHSGOjbRJcVuXxhPj/PAZaUdB1APgOWrEIpg+KQT95 x8eJt+tE4TurJPKf67TYifzNq7QcVicpSZV7gcxNYIb2H6+8MjzRhLs0DvwT9xy7 M6zoHs6BHPfYXOdWVAk88BZRpIua63U7SFt/58TuZxYO0tUi52s=
    =SbTs
    -
  • From Peter Pentchev@21:1/5 to Peter Pentchev on Sat Jan 14 13:20:01 2023
    On Sat, Jan 14, 2023 at 02:11:00PM +0200, Peter Pentchev wrote:
    On Fri, Jan 13, 2023 at 09:11:40PM -0500, nick black wrote:
    it's 2023 and imho time to stop supporting unshadowed passwords
    from the installer.

    https://salsa.debian.org/installer-team/user-setup/-/merge_requests/5

    1) nis (and possibly conserver?) seem the primary drivers of an
    unshadowed passwd.=20

    let me freely admit that, despite the advanced age of forty-two (seventy-eight in UNIX years), that i know nothing about nis/yp
    except that there was a big o'reilly book about it back when one
    read the security book with the big safe on the front and the
    scripting book with the big drill. i suspect it's basically a
    halfway point between syncing /etc/passwd and /etc/hosts with
    cron+rsh, and hiring someone on whom you can inflict ldap? so
    please correct me wherever i'm woefully ignorant.

    ...but it appears that NIS can be made to work with shadowed
    passwords (though without their benefits). this is from a
    cursory reading of a FAQ last updated in 2003, so take it with a
    grain of salt. the "linux network administrators [sic] guide"
    seems to confirm this, and can also help you set up IPX or UUCP.
    [snip]
    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    I know what NIS/YP is, I know of a couple of places where it is
    still in use, and, as Mark Haber said, the people running those

    Um. Many apologies. Of course it's Marc.

    places know how to find and flip a switch.

    --
    Peter Pentchev [email protected] [email protected] [email protected]
    PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmPCm/MACgkQZR7vsCUn 3xMFrhAAqhwDpKjxqw5W7A55+Gkj0xi4uGOpha1ysdH8r0fas2uVmheIofb2PW27 mrV0lJSQtxy5CmyluCNB6ubRNeJ99wl5XabIXrx/+DgJ+UiUUGNTOBgNjKZcVply eaJPtlYEkZnGvMAM8UOXZIUwmQ8feFgvgEK+SICHhfolzbt+JuhDBejP6d7rCSGP Il6V5bboM0ISZB1j8owb1h2+yZmWKbYCyZyUS5QFUaSEQljjYAw9tAv4fLD0HJVx Pj2ldbdG400cBvgFAJvi30/gKH5GSLThCZ9tgDySd5V4wR/2A3ySvAxCzZZbw1HB 2yYJHB1mNvY8gT2pi6oua2UWmfdrNWuZdHkUptMM68xHIe+aq9ojh9OU6m44kZMV P2KUU1ig4lpbYkuL6FJJMjICBK9Kd3VtgbecnkjO6kvpVikFmWnCtmPOCaz3EXBo 5OE9CFWq2gdmMXiwXBwwrPq0SQqkzYzd1S75wXqkirPIP7S87hqh4S81z9hdPb05 OQiUqcWSNnyolzraTX0uG4OJw/PBr9J1f7om9RlzSjCaVFSmImLMqUrjrlGnPOoD CHDfew4iM3c5SlUj/4ySo5go2b4rckuLnXcpv2nBg6VaLmDxD5C0xdyvtD6Rzr8u BokmzoU1PLHYBsr9jVhcl/TNjx89VUixjKtOivbvL4CNI2gXWLM=
    =wBES
    -
  • From nick black@21:1/5 to All on Sat Jan 14 15:20:01 2023
    XPost: linux.debian.maint.boot

    Marc Haber left as an exercise for the reader:
    On Fri, 13 Jan 2023 21:11:40 -0500, nick black
    <[email protected]> wrote:
    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    Amen. NIS-based systems usually have professional administrators who
    are well able to change the configuration.

    hahah, yes i thought you might support the idea based off
    adduser changelogs circa 2005 =].

    thanks to you and peter for voicing your support. i will head
    off to #debian-boot and try to drum up a merge.

    --
    nick black -=- https://www.nick-black.com
    to make an apple pie from scratch,
    you need first invent a universe.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEmi//dHmU4oe+xCLxX0NADCHL+swFAmPCuckACgkQX0NADCHL +sxUSw/+LGSBhd2OCntH5yQTYdTl0r5LdQANxm6fIm3Hbf7i/oHutPRKNvSpAhdG tX1OFlhYUgRTE0+BkIszde9ERmk/2ShF+iqvyFYuhWaN6Kxezw11ur9j/PIQSE0f G35GmplacFqbzgFjWui2fDVazuMloMBYg5IX+IU3Bg3c0v9zBEjn+Wh3GbNG4x0c l8I17RnCbQbvdG25IVliE3hUN5bMA8Kij9YEnLYgYkZvE1Qp56CrLwnT1tI+WZOi spAu3OnfOCG/PQ92pj58EjBTLmGEpXhBo/Pwygt0S4NcRA0W+ZYqlP2rY/EvgfrW NvbAZClErsz3SAoZ8XgFYj3QR0lLGKSvWISmJ2DxJRHJkMtlZ63mtsV0D73rkYQS Yhm76VxVh8vBXgUqeXnM/Eqp8DT7nQDPjxSGXzNhTw7MT9pMMwXruKQjVH5mt+6h FQ/7T8OXogeWMHHvzOt+NjGkTOVtRYJhkaB4YvE0rubpsMKUjQzkfwMk2+4FqQ02 +oTTT+uKI3B3miC2b1ClYfUCWuiNLgVXlfIXn3cu8dtFkREwDx2GMR1PdqJYwIeh pBiXeE8rVdW2BQJmG25W5NR+2ob57w5vye0Oe38XQUS+pjseC2Ma9cWkVDTtjIs2 OCPwuMxTF9YzSPgVmq35xKtW492NBdmmTGf8eECR7jvEm9Sjl80=
    =0hb0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet G
  • From Sam Hartman@21:1/5 to All on Sun Jan 15 01:00:01 2023
    "nick" == nick black <[email protected]> writes:

    nick> it's 2023 and imho time to stop supporting unshadowed
    nick> passwords from the installer.

    Yes, absolutely.
    I am familiar with nis/PAM/shadow/LDAP, have deployed NIS (although not nisplus), and have been around long enough to understand the issues.

    It is absolutely reasonable to expect people who need to do so to
    unshadow their own passwords.

    -----BEGIN PGP SIGNATURE-----

    iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCY8NAbwAKCRAsbEw8qDeG dASuAP0ZViaxORCtpgaQpt0bwqw1OR9wgdaHyM8uckUqUJPC2gD+ODubuSiX8scj zD9ExW0Cz4LYoStJkMD1q+BvV0cfBgk=
    =eOkz
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to nick black on Sun Jan 15 14:30:02 2023
    XPost: linux.debian.maint.boot

    On Sat, Jan 14, 2023 at 09:18:59AM -0500, nick black wrote:
    Marc Haber left as an exercise for the reader:
    On Fri, 13 Jan 2023 21:11:40 -0500, nick black
    <[email protected]> wrote:
    i'm absolutely not suggesting we stop supporting NIS or other
    programs which rely on unshadowed passwords. it's a big ol'
    tent, and we have more than enough room for you to carry forth
    the torch of Solaris 2. i just don't think this belongs in the
    installer anymore.

    Amen. NIS-based systems usually have professional administrators who
    are well able to change the configuration.

    hahah, yes i thought you might support the idea based off
    adduser changelogs circa 2005 =].

    thanks to you and peter for voicing your support. i will head
    off to #debian-boot and try to drum up a merge.

    I'll be honest, I've been horrified for years that we can still ask
    the shadow question. I hadn't realised it might be relevant for
    NIS. Even so, +1 from me. Let's get this done, I think...

    --
    Steve McIntyre, Cambridge, UK. [email protected] Is there anybody out there?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From nick black@21:1/5 to All on Sun Jan 15 20:10:02 2023
    Sam Hartman left as an exercise for the reader:
    Yes, absolutely.
    I am familiar with nis/PAM/shadow/LDAP, have deployed NIS (although not nisplus), and have been around long enough to understand the issues.

    It is absolutely reasonable to expect people who need to do so to
    unshadow their own passwords.

    thanks Steve McIntyre for the merge!

    as an aside, as a fairly new DD, i've seen a lot of worry in
    recent years about the difficulty of getting changes through
    given the distributed ownership of packages, etc. i was frankly
    worried about this being difficult to see through, despite it
    being a small and agreed-upon change (there was certainly no way
    i was going to NMU the installer).

    it was merged this morning after authoring the MR through salsa
    two evenings ago, quite painlessly. this is anecdotal and
    perhaps not representative of Project dynamics as a whole, but i
    for one feel more comfortable about proposing and executing
    small changes like this now.

    --
    nick black -=- https://www.nick-black.com
    to make an apple pie from scratch,
    you need first invent a universe.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEmi//dHmU4oe+xCLxX0NADCHL+swFAmPETWIACgkQX0NADCHL +syQMA/7BtgxT9ck+MTqcxF9M8RQ6bIwsKbSsdVMtuOTEHcpYo9O/yV3/Y52gCcL KzVFW2GKaFCnS+IR2bddv8QYTGT0B3vvnFeLrvjM/u/p3iNkHlh3eIsVD6fsNTyR deXBVy9cIyQ0sUqZgB7cBCEh6TJIGwU8iE0yyDrApMBljrcosZ0az+Szo2Yv/EMo sEpzRFDLMFL+mUdLsfnnKQ5SRt6Tx/jE2NN7H6bbVDZ8PxTLpOlQUL5Qho6OckaM xuXsEhxZ5aq1+wUbQqh6w2W7nxggmph16Lh9KChkHwlnUZgSlKA1KhgQPM6/chh/ TTcZTdkMKL1D1dqzRlFWzvrhgEt97ooqzzDyK6k2LRBOhjYg2mD9QMA19AkwsxI+ xBal3KA2JK4OJsHSv/T2tPKID0ok5K3nsRrtwpRaepKdgVGqNTvYVUU9MBbCgJEE Xx8w62C0v444YRY7kYpwNwnBQXhAbGhWz6GKDAMM/4ntUAHhuGcjZ/KwLl/wt6Uo PiyCe34gnVOIA0mDjGWT4TyvWsztOHoqo6dq4iZ6HOXgF2x0SrVMgIgbM+QlRj1m 6U97tuw5pVereQyMg/DRi+ZEogTjqiZar0tN2i9adVycccyhm5dTQKJmNNWzUiN6 QLpWwbBeEjRuEEynUi/5nYARwSw5pO3bqbWGAK2c1uVwDLqmkYU=
    =JO3l
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet G