Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060702062606.GA14454@openwall.com>
Date: Sun, 2 Jul 2006 10:26:06 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sat, Jul 01, 2006 at 11:13:15PM -0600, Vincent Danen wrote:
> ALT doesn't use SimplePAMApps' passwd program, but has his own (had to
> poke around to find it).

You're right.  Sorry for the confusion.

OK, if there's a problem compiling SimplePAMApps' passwd with gcc 4.1+,
we'll find that out very soon and fix it.

> Now, I just want to clarify something and I'm far from a pam expert
> here...  but when you have /etc/pam.d/passwd and it's going through the
> stack (ie. pam_passwdqc and pam_tcb) for the password section, is
> pam_tcb modifying the shadow file or is the passwd program?

pam_tcb does that.  That's why you have to tell it to write_to=tcb.

> My thinking is that pam_tcb tells passwd that it has the right guy...
> either I authenticate with my password and or I don't, so passwd is
> looking for a PAM_SUCCESS to come back to it, and when that's done it
> will write the password.  So I'm thinking that passwd actually does the
> writing and pam_tcb doesn't actually touch the shadow or tcb files,
> correct?

No.  The passwd program should not even know where the passwords or
password hashes are stored; it is just a tiny wrapper around PAM calls.

Besides, the PAM password changing stack may also be invoked from login
services to force changing of expired passwords.  The passwd program is
not involved in this at all.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.