Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060702014026.GA13135@openwall.com>
Date: Sun, 2 Jul 2006 05:40:26 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sat, Jul 01, 2006 at 02:25:25PM -0600, Vincent Danen wrote:
> I'm working towards integrating tcb fully into Annvix here ...

Great!

We definitely want our stuff to be accepted by other distributions.

> The problem I'm having is with passwd; it's segfaulting on me when I try
> to change a password.  I've got my /etc/pam.d/system-auth nearly
> identical to the openwall one (in Owl/packages/pam/system-auth.pam):
[...skipped...]

It looks OK to me.

> A few things I noticed, and I was originally trying to stick pam_tcb in
> there as a replacement for pam_unix, which is why I kept the last
> pam_deny.so call in there.  Of course, with pam_unix this works ok, but
> with pam_tcb it doesn't, so I had to remove it.  Does pam_tcb negate the
> need for pam_deny?

I don't understand why pam_deny could be needed there at all.

> Anyways, my big problem here is with passwd segfaulting when I try to
> change my password

I'm afraid that you'll have to debug the segfault.  Even if it's caused
by misconfiguration, this suggests that you have a bug in some C code,
perhaps in the passwd program itself.

> I've changed perms, so that /etc/shadow is owned root:shadow and mode
> 0440.

Once you fully migrate your system to tcb, you should remove /etc/shadow.

> I've used tcb_convert to enable my tcb filesl my /etc/tcb files
> are owned [user]:auth, and the directories are all sgid auth.  My own
> shadow file (/etc/tcb/vdanen) is owned vdanen:auth and is 640.

That's correct.

> I'm wondering if I missed a patch to passwd perhaps?

No, tcb does not require a patch to passwd.

> We use a separate
> passwd package that provides just passwd itself (it's the freebsd passwd
> with pam support).  I noticed passwd isn't in the owl shadow-utils
> package (in fact, I'm at a loss as to which package in openwall is
> providing passwd since I don't see it it in util-linux either).

We use the implementation from SimplePAMApps with our modifications (not
related to the use of tcb):

	http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/SimplePAMApps/

SimplePAMApps is a package that provides small PAM-only implementations
of login, passwd, and su.  It is essentially unmaintained upstream - so
we're maintaining it ourselves.  (Maybe we should be making releases of
"our" SimplePAMApps separately from Owl.)

> It's good that auth works... it means I'm heading in the right
> direction.  Hmmm... wait.. looks like it's wanting to use /etc/shadow
> regardless of the USE_TCB setting in login.defs

The USE_TCB setting is for the shadow suite utilities only (such as
useradd, etc.)

> (unless it requires the shadow file to exist still?).

With proper configuration, it should not.

> Hmmm... do I need to put tcb into the shadow line in /etc/nsswitch.conf?

Yes, you do.  We have:

passwd:     files nisplus nis
shadow:     tcb nisplus nis
# To not use tcb, replace the "tcb" with "files":
#shadow:    files nisplus nis
group:      files nisplus nis

> Ok, looks like I need to have "files tcb bla..." in the nsswitch.conf;

Not exactly.  You replace "files" with "tcb" - but you do that on the
"shadow" line only.

> /usr/bin/passwd is sgid shadow.

That's correct.  We have it like this:

-rwx--s--x 1 root shadow 6884 2006-05-06 03:56 /usr/bin/passwd

> Oh, all I did was add three groups:  auth, shadow, and chkpwd (gid's 27,
> 28, and 29 respectively).  Are any users required to operate things?  I
> didn't notice anything looking through the slides and spec files.

No, you only needed to add the groups.

> The following are the patches I took and rediffed from the openwall
> shadow-utils package:
> 
> Patch4:         shadow-4.0.12-avx-man.patch
> Patch6:         shadow-4.0.12-avx-crypt_gensalt.patch
> Patch7:         shadow-4.0.12-avx-usergroupname_max.patch
> Patch8:         shadow-4.0.12-avx-tcb.patch

If those patches are derived from ours, you could want to give due
credit to our project by not dropping the "-owl-" from the filenames.
Under our conventions, if we were the maintainers of Annvix, the
filenames would be shadow-4.0.12-owl-avx-tcb.diff and the like.

Thanks,

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.