I'm looking for a way to authenticate passwords from a redhat 6.2
machine on a solaris 9 box. I know solaris supports md5 with ldap, but
ldap isnt a viable alternative for me. I would like PAM to first try
to authenticate a user with a normal solaris type password (DES I
beleive? I'm not terribly familiar with Solaris...), and if that fails
try to auth the pass with MD5.

Where can I find a module to do this?
How would it be configured?

---

Request for Question Clarification by maniac-ga on 30 Jan 2003 19:47 PST

Hello Reaver69,

Hmm. I am not quite sure how you will get the passwords from the Linux
box to Solaris without some network protocol (NFS?). Since you say
LDAP is not an option, would Kerberos do instead? My company has over
a 100 machines (and users) with a PC running Kerberos (with a backup).
If a machine does not have the network link, it does a fall back to
the local password file. Would that be OK or will you only consider a
PAM solution?

  --Maniac

---

Clarification of Question by reaver69-ga on 31 Jan 2003 06:50 PST

Actually I would be simply copying the passwords from the /etc/shadow
on the linux box to /etc/shadow on the solaris machine, I want to be
able to move users from one system to the other.

I guess it would not have to be be PAM, but it would have to be some
method to auth passwords locally on the solaris machine.

Thanks!

---

Request for Question Clarification by maniac-ga on 01 Feb 2003 08:28 PST

Hello Reaver69,

Hmm. Copying password (/etc/shadow) files between machines.

That method could be made to work but it may introduce some problems:
 - users can end up with different passwords on the Sun / Linux
machines
 - if you synchronize password files, 
  o you have to tell users to change them on one machine only
  o the passwords are still out of sync until you copy the password
file between machines
These are the kinds of problems that are avoided with a network based
authentication method such as Kerberos or NIS.

How do you want to proceed at this point?

  --Maniac

---

Clarification of Question by reaver69-ga on 01 Feb 2003 15:04 PST

It would be a one time copy from the linux machine to the solaris
machine, the goal is to migrate passwords from the linux machine to
the solaris machine without resetting them.

Hello Denco,

I still don't quite understand what you are trying to do, but let's
answer the specific question
  How can I authenticate on Solaris with MD5 passwords generated on
Linux.

Based on what I can find, Sun does provide PAM support and modules.
There is extensive documentation at
  http://wwws.sun.com/software/solaris/pam/
which states it is integrated into Solaris 2.6 (and subsequent). It
does not state that it is compatible with MD5 encoding on Linux.

If not, there are a number of other sites that describe how to build
your own PAM modules for Solaris. The next few references address that
option, assuming you want to build the Linux compatible modules for
your use. [Note - I searched, but could not find prebuild modules for
Solaris]

http://www.netsys.com/focus-sun/2001/02/msg00054.html
The first message of an extensive thread on the alternatives related
to getting MD5 password support on Solaris. One Sun developer notes
that they were going to put the MD5 capability into crypt directly
(instead of PAM). I cannot confirm if that was actually done or not in
Solaris 9. That may be another option if implemented and you are using
that version.

http://www.dementia.org/~shadow/pam.html
An extensive explanation of one user's experience in building and
using PAM modules from the Linux sources for use on Solaris. Note the
specific issues with compatibility and limitations on how you build
the modules near the end.

http://us6.samba.org/samba/ftp/docs/htmldocs/PAM-Authentication-And-Samba.html
I am including this example in case you are not familiar with creating
pam configuration files. This lists a pretty extensive example as part
of setting up authentication for Samba.

Let me know if you need more explanation of the steps necessary to
solve this problem for you.

  --Maniac

---

Request for Answer Clarification by reaver69-ga on 02 Feb 2003 11:17 PST

If you do not fully understand then please do not answer my question.

I need a PAM authentication scheme that can authenticate both MD5 and
solaris native encrypted passwords on solaris 9.

The scenario is this more precisely :

I have 1 linux redhat 6.2 machine and I have 1 solaris 9 machine. I
need to move at least the user passwords from the linux machine to the
solaris machine.

So If I copy the password from the linux machine to the solaris
machine, I need PAM to behave like this :

Authenticate password by normal solaris crypt means
If not authenticated then authenticate by md5 means
If not authenticated fail

So I need a PAM module that can handle md5 authentication and way to
configure pam to function as above.

As I stated originally, I need a module not a way to write one.

---

Clarification of Answer by maniac-ga on 03 Feb 2003 18:30 PST

Hello Denco,

The following should explain more fully the approach I suggested. I
did not suggest you write a module, but to use code that already
exists. You will have to make changes to the PAM configuration files,
but that is relatively straight forward to perform.

As I stated before, the preferred approach is to use modules and
support provided by Sun. However, based on what I can find, the
Solaris modules are not compatible with MD5 encoding on Linux. Until
Sun provides compatible modules, you need to provide your own.

That does not mean, that you must "write a module". I provided a
reference where system administrators have built PAM modules for
Solaris from the source code used on Linux systems. To repeat, the
reference at
  http://www.dementia.org/~shadow/pam.html
which goes into some detail about this including guidance on how to
build the modules. This site is also referred to by the master Linux
PAM sites listed below. He includes an email address for contact. If
you send him email, he may make his already built modules available
and then you can skip the module build steps.

You should have access to PAM source code for your Linux distribution.
If not, a search such as
  http://www.rpmfind.net/linux/rpm2html/search.php?query=pam&submit=Search+...
will provide a series of references. Scroll down to find the source
that matches your Linux distribution. As an alternative, it may be
good to download the Rawhide 1.0 source for Sparc; it may have patches
that make it work better on your Solaris system. Another alternative
is to download the source from a primary distribution site such as
  ftp://ftp.kernel.org/pub/linux/libs/pam/
or if that is busy, try
  http://kernel.netnitco.net/linux/libs/pam/
and download the version of source code you want to use. 

As a test, I downloaded a copy of Linux-PAM-0.77 at
  http://kernel.netnitco.net/linux/libs/pam/pre/library/Linux-PAM-0.77.tar.gz
and reviewed the README file that accompanies it. Basically, it asks
you to
  ./configure
and then
  make
to generate the PAM modules, utilities, etc. These steps will require
the appropriate development tools on your Solaris system.

Note that the Linux source to pam_unix is in
  Linux-PAM-0.77/modules/pam_unix
It may be possible to build just this module; check the README there
for more information.

After it is built, I suggest renaming this module to pam_linux or some
similar name and then copying it into the same directory as your
existing pam_unix modules are on Solaris.

Then you can change the PAM configuration file to include a line
like...
  login  auth  sufficient  /usr/lib/security/pam_linux.so.1
at each place where you want to use the Linux passwords instead of the
Solaris passwords. The phrase sufficient allows that authentication to
be enough for the user to get in. Note that the sufficient line must
be in front of the required line if you want either method to work.
This kind of handling is described in the PAM Administrator document
at the Sun site I referred to before.

This may not be as simple as you expected, but appears to be the only
way to do what you are asking for.

  --Maniac

You might check out running radius; it appears
there are version for Solaris 9 and it is most
certainly available for RH Linux.

Check out: http://www.sunfreeware.com/ for a
Solaris version.

With radius you configure one machine to look
to another machine for authentication; pretty
much it.