Note: This is an archival copy of Security Sun Alert 200366 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000258.1.
Article ID : 1000258.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-02-25
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 8 and Solaris 9 NIS Clients May Not Allow Users With +/-Passwd Syntax Entries to Login

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
4873939

Date of Workaround Release
08-JUL-2003

Date of Resolved Release
26-FEB-2004

Impact

Solaris 8 and Solaris 9 NIS clients which contain passwd(4) entries beginning with a "+" (plus sign) or a "-" (minus sign) and also contain a password entry in nsswitch.conf(4) of "passwd: compat" may find the NIS accounts are no longer able to login.

Note: Password entries with a "+" or "-" selectively incorporate entries from NIS maps for the password.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 with patch 108993-14 through 108993-31 and without patch 108993-32
  • Solaris 9 without patch 113476-10

x86 Platform

  • Solaris 8 with patch 108994-14 through 108994-31 and without patch 108994-32
  • Solaris 9 without patch 114242-06

Note: Solaris 2.6 and Solaris 7 are not affected by this issue.

Only login accounts configured on NIS client systems utilizing the +/- passwd(4) syntax as well as containing an entry of "compat" for either the "passwd" or "group" entries in the nsswitch.conf(4) file are affected.

To determine if a system is an NIS client, run the following command: 

    $ ps -ef |grep ypbind

To view the 'passwd' and 'group' entries in the nsswitch.conf(4) file, run the following command: 

    $ egrep "^passwd|^group" /etc/nsswitch.conf

Symptoms

If the described issue occurs, NIS user accounts will no longer be able to login to NIS client systems.


Workaround

To workaround the described issue, the following entry in the "/etc/pam.conf" file can be changed from: 

    other   auth required    pam_unix_auth.so.1

To: 

    other   auth required    pam_unix.so.1

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 108993-32 or later
  • Solaris 9 with patch 113476-10 or later

x86 Platform

  • Solaris 8 with patch 108994-32 or later
  • Solaris 9 with patch 114242-06 or later


Modification History
Date: 05-JAN-2004
  • Updated Relief/Workaround

Date: 26-FEB-2004
  • State: Resolved
  • Updated Contributing Factors and Resolution sections


References

114242-06
113476-10
108994-32
108993-32




Attachments
This solution has no attachment