Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120319014811.GA22403@openwall.com>
Date: Mon, 19 Mar 2012 05:48:11 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: hardened-shadow, a shadow suite that has tcb built-in

On Thu, Mar 15, 2012 at 05:03:09PM +0100, Pawe?? Hajdan, Jr. wrote:
> On Wed, Mar 14, 2012 at 23:53, Solar Designer <solar@...nwall.com> wrote:
> 
> > > It's an alternative implementation of shadow utilities
> > > (login, su, passwd and so on), inspired by Openwall's tcb.
> >
> > Actually, for these three things you mentioned, we use SimplePAMApps
> > (with our patches), not the shadow suite.
> 
> Interesting, is 0.60 the latest version of SimplePAMApps? If not, where's
> the latest version?

As far as I'm aware, 0.60 is the latest.  That's what both Owl and ALT
Linux use (with patches).

> Here are links I could find easily:
> 
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/SimplePAMApps/

These are our patches to SimplePAMApps.

> http://sisyphus.ru/en/srpm/Sisyphus/SimplePAMApps/sources

This has the original SimplePAMApps 0.60 tarball in uncompressed form.
The original .tar.gz may be had e.g. from the Owl sources tree:

http://mirrors.kernel.org/openwall/Owl/current/sources/Owl/packages/SimplePAMApps/

In Owl, we have this separation between pristine source tarballs and our
patches into two trees, both of which are used during Owl build.

> > This sounds good, except that for the PAM and NSS modules it could be
> > better to just use those we have in our tcb.  And when its /etc/tcb mode
> > is not needed, then for NSS just use glibc's.  By introducing your
> > alternatives, you potentially increase the total number of bugs in
> > implementations that are in use on different systems.  While I admit
> > that I am guilty for doing similar things (re-implementations) in other
> > cases, arguably there has to be a good reason to introduce a new
> > implementation.  What are your reasons to introduce and maintain yet
> > another pam_unix clone when we already have and maintain pam_tcb?
> 
> That's a good question, and I was also thinking about it before making that
> decision.
> 
> First, when adding tcb support to shadow, I noticed there is some
> duplication (of code but also of knowledge, i.e. coupling) that could be
> solved by moving more code to libtcb, or re-implementing the whole thing as
> a single package (that's what I did with hardened-shadow).
> 
> The hardened_shadow PAM module and NSSwitch module use code from common/,
> especially file.c.

OK.

> I decided to base hardened_shadow PAM module on pam_unix instead of pam_tcb
> because I want hardened-shadow to be as compatible with shadow-utils and
> pam_unix as possible.

Is our pam_tcb somehow less compatible with Linux-PAM's pam_unix than
your module is?

> Note that I'm going to work more on that PAM code, so contributions to
> bring it closer to pam_tcb (or replace it with pam_tcb) could be
> interesting.

At this time, I don't see why you couldn't just use pam_tcb as-is.

> The pam_tcb code would need some changes anyway, e.g. to use
> hardened-shadow.h.

What would it need to use from there, specifically?  Is that about your
first comment above (de-duplication of some code? shadow file rewrites?)

> > FWIW, I noticed that you also excluded gpasswd - you could want to
> > document that in your list of missing features.
> 
> Right, that was also on purpose - I think nowadays password-protected
> groups are not really used, and they increase complexity of the tools.

I agree.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.