Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060701202525.GP1128@annvix.org>
Date: Sat, 1 Jul 2006 14:25:25 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: owl-users@...ts.openwall.com
Subject: tcb and friends with shadow-utils 4.0.12

I'm working towards integrating tcb fully into Annvix here and am
running into a few issues.  I had to forwardport quite a few patches
from owl cvs because we're using 4.0.12...  I *think* I did a sufficient
job.  Everything compiles and once I've got everything moved over onto a
test virtual machine, it all installs, and authentication seems to work
ok (with ssh login, local login, and sudo).

The problem I'm having is with passwd; it's segfaulting on me when I try
to change a password.  I've got my /etc/pam.d/system-auth nearly
identical to the openwall one (in Owl/packages/pam/system-auth.pam):

[root@...test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# $Id$

auth            required        pam_env.so
auth            required        pam_tcb.so shadow fork nullok prefix=$2a$ count=8
#auth           required        pam_deny.so

account         required        pam_tcb.so shadow fork

password        required        pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password        required        pam_tcb.so use_authtok shadow write_to=tcb fork nullok prefix=$2a$ count=8
#password       required        pam_deny.so

session         required        pam_limits.so
session         required        pam_tcb.so

A few things I noticed, and I was originally trying to stick pam_tcb in
there as a replacement for pam_unix, which is why I kept the last
pam_deny.so call in there.  Of course, with pam_unix this works ok, but
with pam_tcb it doesn't, so I had to remove it.  Does pam_tcb negate the
need for pam_deny?

Anyways, my big problem here is with passwd segfaulting when I try to
change my password (I haven't tried anything else that the shadow-utils
tcb patches touch yet).

I've changed perms, so that /etc/shadow is owned root:shadow and mode
0440.  I've used tcb_convert to enable my tcb filesl my /etc/tcb files
are owned [user]:auth, and the directories are all sgid auth.  My own
shadow file (/etc/tcb/vdanen) is owned vdanen:auth and is 640.

I'm wondering if I missed a patch to passwd perhaps?  We use a separate
passwd package that provides just passwd itself (it's the freebsd passwd
with pam support).  I noticed passwd isn't in the owl shadow-utils
package (in fact, I'm at a loss as to which package in openwall is
providing passwd since I don't see it it in util-linux either).

It's good that auth works... it means I'm heading in the right
direction.  Hmmm... wait.. looks like it's wanting to use /etc/shadow
regardless of the USE_TCB setting in login.defs (unless it requires the
shadow file to exist still?).

Hmmm... do I need to put tcb into the shadow line in /etc/nsswitch.conf?
Ok, looks like I need to have "files tcb bla..." in the nsswitch.conf;
then I don't need /etc/shadow (or, rather, it tells me it's properly
getting it from the tcb files).

Despite that change (not that I thought it would really help), I still
can't change my password.  /usr/bin/passwd is sgid shadow.

Oh, all I did was add three groups:  auth, shadow, and chkpwd (gid's 27,
28, and 29 respectively).  Are any users required to operate things?  I
didn't notice anything looking through the slides and spec files.

I think I'm half-way there, which is really cool, but I need some
assistance getting the rest of the way.  For reference, I'm using:

shadow-utils 4.0.12
passwd 0.71
util-linux 2.12r (although this is unpatched; just for reference)
pam 0.99.3.0

The following are the patches I took and rediffed from the openwall
shadow-utils package:

Patch4:         shadow-4.0.12-avx-man.patch
Patch6:         shadow-4.0.12-avx-crypt_gensalt.patch
Patch7:         shadow-4.0.12-avx-usergroupname_max.patch
Patch8:         shadow-4.0.12-avx-tcb.patch

I looked through the other shadow-utils patches and they didn't look to
be tcb-related so I didn't pursue those further.

Any ideas at all would be appreciated.  Thanks much.

-- 
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
:: Annvix - Secure Linux Server: http://annvix.org/ ::

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.