Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060702051315.GS1128@annvix.org>
Date: Sat, 1 Jul 2006 23:13:15 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

* Vincent Danen <vdanen@...sec.ca> [2006-07-01 22:47:35 -0600]:

> > If SimplePAMApps requires any fixes for gcc 4.1+, I'm sure Dmitry
> > already has those implemented for ALT Linux's distributions.
> 
> Poking around the ALT site now to see if I can find something.

ALT doesn't use SimplePAMApps' passwd program, but has his own (had to
poke around to find it).

At any rate, passwd is still segfaulting, so I'm going to have to look
at this a little closer.  It looks like pam_tcb is doing the right
thing... I enabled debug and it shows it authenticating and handing
things off, so there's something else wrong.

I'll see if I can get a little closer tomorrow.

Now, I just want to clarify something and I'm far from a pam expert
here...  but when you have /etc/pam.d/passwd and it's going through the
stack (ie. pam_passwdqc and pam_tcb) for the password section, is
pam_tcb modifying the shadow file or is the passwd program?

My thinking is that pam_tcb tells passwd that it has the right guy...
either I authenticate with my password and or I don't, so passwd is
looking for a PAM_SUCCESS to come back to it, and when that's done it
will write the password.  So I'm thinking that passwd actually does the
writing and pam_tcb doesn't actually touch the shadow or tcb files,
correct?

So if I'm authenticating ok (according to the logs pam_tcb is saying it
obtained my username and that auth passed for password management), then
the problem must be with the passwd program and it's ability to write to
a file.

I don't know... I think it's late and I'm thinking too hard.  Best to
leave this till tomorrow.


-- 
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
:: Annvix - Secure Linux Server: http://annvix.org/ ::

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.