more netatalk pain; encrypted passwords


Subject: more netatalk pain; encrypted passwords
From: Nathaniel Irons (beppo@bumppo.net)
Date: Tue Oct 10 2000 - 17:29:01 MDT


Thanks to an episode of patient off-list assistance, netatalk
1.4.99-asun eventually built. My first problem was in using the umich
1.4b2 sources, which I assumed were more recent than the
asun/sourceforge version after I couldn't get the asun sources to
compile. Turns out one has to run ./autogen to create usable makefiles,
a step not mentioned by the various readmes or the HOWTO.

With that out of the way, netatalk installed fine, but I could only log
in as guest. The HOWTO suggests that out of the box, netatalk can't
authenticate with shadow passwords, and recommends adding either
-DSHADOWPW or -DUSE_PAM to CFLAGS in the afpd Makefile. Builds with
those options (after rebooting, and checking the dates on the binaries
to make sure the subsequent installations had taken) yielded no changes;
I still couldn't log in with a username/password.

So I finally broke down, scrapped the binaries, and installed the RPM
from a YDL mirror (netatalk-1.4b2+asun2.1.3-8.ppc.rpm). Now I can log
in as various users, which it apparently authenticates through PAM
(judging by the new netatalk file in /etc/pam.d/).

So everything works, except passwords are still being sent in cleartext.

The HOWTO says explicitly that two-way encrypted passwords are used when
netatalk is compiled with libdes, and when a file containing the
password exists at ~/.passwd with 600 permissions. If this is true,
then the netatalk RPM was not compiled with libdes -- I don't know if
it's possible to verify this another way.

Somewhere in my reading of the last two days, however, I came under the
impression that encryption also has to be enabled within afpd.conf, or
authentication defaults to cleartext. If this is true, I can't suss out
the syntax -- there's an optional UAM field in the afpd.conf options,
but I don't know which, if any, I want (between cleartxt, afskrb, krbiv,
guest, randnum, and rand2num). I tried them all, of course.

My afpd.conf entry looks like this:

Name_in_chooser -transall -noguest -loginmesg "sample" -randnum

Any help appreciated.

  -nat



This archive was generated by hypermail 2a24 : Tue Oct 10 2000 - 17:35:36 MDT