Follow @Openwall on Twitter for new release announcements and other news

This is the change log for our tcb suite implementing the alternative password shadowing scheme on Owl.

2021-01-11  Solar Designer  <solar at>

	* tcb.spec: 1.2.
	* LICENSE: Update copyright years for Dmitry's recent contributions.

2020-07-16  Dmitry V. Levin  <ldv at>

	tcb_chkpwd: remove the last remaining piece of NIS+ support.
	* progs/tcb_chkpwd.c (unix_verify_password): Remove special handling
	of NIS+ password entries.

	tcb_unconvert: print error diagnostics if the final chown fails.
	* progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely
	case of an error returned by the final chown invocation.  This does
	not affect the exit status of tcb_unconvert, though, since the final
	chown does not affect the result of conversion.

2020-07-15  Dmitry V. Levin  <ldv at>

	pam_tcb: fix harmless -Wmissing-field-initializers compilation warning.
	* pam_tcb/support.c (fake_pw): Explicitly initialize remaining members
	of struct passwd with zero.

	pam_tcb: fix harmless -Wpointer-sign compilation warnings.
	* pam_tcb/support.h (struct pam_unix_params): Change the type of
	"crypt_prefix" and "helper" fields from "const unsigned char *"
	to "const char *".

2018-07-07  Dmitry V. Levin  <ldv at>

	pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier
	to OpenBSD.
	This does not affect builds with libxcrypt >= 4.1.0 that provides
	* pam_tcb/support.c (_set_ctrl)
	with "$2b$".
	* pam_tcb/pam_tcb.8 (prefix): Likewise.

2018-06-26  Dmitry V. Levin  <ldv at>

	pam_tcb: request automatic prefix if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "prefix" argument to crypt_gensalt_ra function will cause it
	to select the best available hash function.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (_set_ctrl)
	pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb
	default value.
	* pam_tcb/pam_tcb.8: Document this.

	pam_tcb: request automatic entropy if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "rbytes" argument to crypt_gensalt_ra function will cause it
	to acquire random bytes from the operating system.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (do_crypt)
	with null "rbytes" and zero "nrbytes" arguments.

2018-06-19  Dmitry V. Levin  <ldv at>

	pam_tcb: sync password expiration messages with Linux-PAM-1.4.0.
	* pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros.
	Update messages.
	(MESSAGE_WARN_EXPIRE): Add count argument, update messages.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace

2018-05-31  Dmitry V. Levin  <ldv at>

	pam_tcb: use pam_get_authtok(3) instead of _unix_read_password.
	This follows the change in pam_unix implemented in Linux-PAM
	commit Linux-PAM-1.3.0~5.
	pam_get_authtok(3) is available in OpenPAM since 2002-04-08
	and in Linux-PAM since 2008-12-03.
	As pam_get_authtok(3) does not support not_set_pass option,
	the support for this not much useful option is dropped.
	Instead pam_tcb gets a proper support for authtok_type= option.
	* pam_tcb/pam_tcb.8 (not_set_pass): Remove.
	(authtok_type): New option.
	* pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro.
	(pam_sm_authenticate): Use pam_get_authtok instead of
	* pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK):
	Remove unused macros.
	(do_setpass): Remove "fromwhat" argument.
	(unix_prelim): Use pam_get_authtok instead of _unix_read_password.
	(pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support.
	* pam_tcb/support.c (data_cleanup, _unix_read_password): Remove
	unused functions.
	(unix_bools): Replace "not_set_pass" with "use_first_pass" and
	(parse_opt): Remove manual handling of "use_first_pass" and
	(_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in
	the_cmdline_opts.  Remove manual handling of "authtok_usage=".
	UNIX_AUTHTOK_TYPE): New enum constants.
	MESSAGE_MISTYPED): Remove unused macros.
	enum constants.
	(struct pam_unix_params): Remove unused authtok_usage field.
	(_unix_read_password): Remove unused prototype.

2018-05-22  Dmitry V. Levin  <ldv at>

	pam_tcb: drop obsolete NIS/NIS+ support.
	The GNU C library, starting with version 2.26, deprecated libnsl.
	As result, pam_tcb no longer builds with modern versions of glibc
	configured without --enable-obsolete-nsl option.
	While glibc recommends to use replacement implementations based on
	TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether.
	* pam_tcb/yppasswd.h: Remove.
	* pam_tcb/yppasswd_xdr.c: Likewise.
	* pam_tcb/Makefile: Do not link with -lnsl.
	(LIBSRC): Remove yppasswd_xdr.c.
	* pam_tcb/pam_tcb.8: Remove references to NIS+.
	* pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support.
	* pam_tcb/support.c: Likewise.
	* pam_tcb/support.h: Likewise.
	* progs/tcb_convert.8: Remove references to nis and nisplus.

2012-05-24  Dmitry V. Levin  <ldv at>

	pam_tcb: Implement i18n support.
	Linux-PAM starting with release 0.81 implements i18n support using
	gettext.  This change extends i18n support to pam_tcb.
	The i18n support is not enabled by default, define both ENABLE_NLS and
	NLS_PACKAGE macros to enable it.  When NLS_PACKAGE macro is defined to
	"Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM.
	* pam_tcb/support.h: Mark all messages for translation.  Pass through
	dgettext all messages marked for translation when both ENABLE_NLS and
	NLS_PACKAGE macros are defined.

2011-07-17  Solar Designer  <solar at>

	* tcb.spec: 1.1, "Requires: glibc-crypt_blowfish >= 1.2".

	* pam_tcb/support.c (_set_ctrl), pam_tcb/pam_tcb.8: changed the default
	hash encoding prefix from "$2a$" to "$2y$" (requires crypt_blowfish 1.2
	or newer).

2010-06-07  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.6.

	* libs/libtcb.c (tcb_is_suspect): Drop faulty check for sparse files.
	It was based on a wrong assumption that st_blksize indicates the size
	of allocated blocks.  Also, the notion of sparse files does not apply
	to filesystems with compression turned on.
	The purpose of this check was to prevent some DoS attacks on root
	invoking user management tools and on services doing authentication.
	On a system with tcb shadow files, if group shadow access is somehow
	compromised, those files may be directly written to by their
	corresponding users as well as made sparse, which is what made this
	check somewhat desirable, but it was insufficient and problematic.
	Bug reported by Jim Darby <jim at>.

2010-02-25  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.5.

2010-02-14  Dmitry V. Levin  <ldv at>

	Decrease the size of tcb_privs structure allocated in .data segment
	from 256K to a two dozen bytes by moving a groups array to .bss segment.
	* include/tcb.h (TCB_NGROUPS): Set to fixed value 1024 to reduce a waste
	of address space.  The former value NGROUPS_MAX is immensely large
	nowdays, and root privileged processes are not expected to have so large
	list of supplementary groups anyway.
	(struct tcb_privs): Move the groups array outside the structure.
	* libs/libtcb.c (glob_grplist): New static groups array.
	(tcb_drop_priv_r): Set errno in case of invalid use.
	(glob_privs, tcb_drop_priv_r, tcb_drop_priv): Update for the change of
	tcb_privs structure.
	* libs/nss.c (tcb_safe_open): Likewise.

2010-02-10  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.4.
	* LICENSE: Update copyright for 2010 year.

2010-01-20  Dmitry V. Levin  <ldv at>

	* libs/libtcb.c (tcb_drop_priv_r): Fix potential grpbuf buffer
	overflow.  This function is expected to return -1 if the buffer in
	tcb_privs structure is not sufficiently large to store all
	supplementary groups, but it didn't.  It treated 1st argument of
	getgroups(2) as the size of buffer in bytes, but according to specs it
	should be set to the size of buffer in items that can be stored there.
	To reproduce the bug, one has to build tcb with NGROUPS_MAX value
	lesser than the value defined in /proc/sys/kernel/ngroups_max, and set
	an appropriate (greater than NGROUPS_MAX) number of supplementary
	groups for the calling process.  There doesn't appear to be any
	untrusted user input involved.  Thus, this bug doesn't have to be
	treated as a security issue.

2010-01-19  Dmitry V. Levin  <ldv at>

	* libs/Makefile: Use LDFLAGS more consistently.
	* progs/Makefile: Likewise.
	Reported by PaweĊ‚ Hajdan, Jr. <phajdan.jr at>.

2009-04-03  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.3.

2009-04-02  Dmitry V. Levin  <ldv at>

	* LICENSE: Update copyright for 2009 year.

	* pam_tcb/pam_unix_passwd.c (update_file): Call fflush(3) and
	Reported by Ermanno Scaglione <erm67 at>.

	* pam_tcb/support.c (_unix_fork, unix_run_helper_binary): Replace
	all calls to exit(3) in child processes with calls to _exit(2).
	Reported by Pascal Terjan <pterjan at>.

2006-10-31  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.2.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Free retval_data
	pointer on error path.
	* pam_tcb/support.c (user_in_nisdb): Free userinfo string.
	* progs/tcb_chkpwd.c (zeroise): New function, zeroises string.
	(unix_verify_password): Free stored_hash string, zeroise hash
	Reported by Alexander Kanevskiy.

2006-05-06  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.1.
	* LICENSE: Updated copyright for 2006 year.

	* pam_tcb/pam_unix_sess.c (pam_sm_open_session): Fail with
	PAM_SESSION_ERR for unknown users.

2005-12-28  Dmitry V. Levin  <ldv at>

	* tcb.spec: 1.0.
	* LICENSE: Updated copyrights for 2004 and 2005 years.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Bump syslog
	priorities of three error messages.

2005-09-26  Dmitry V. Levin  <ldv at>

	Update logging code to use pam_syslog.
	Update conversation code to use pam_prompt.

	* include/attribute.h (TCB_GNUC_PREREQ, TCB_FORMAT, TCB_NONNULL):
	New macro.
	(unused): Rewrite using TCB_GNUC_PREREQ.
	* pam_tcb/compat.c: New file, defines pam_syslog and pam_prompt
	if PAM does not provide them.
	* pam_tcb/compat.h: New file, defines prototypes for pam_syslog
	and pam_prompt if PAM does not provide them.
	* pam_tcb/Makefile (LIBSRC): Add compat.c.
	* pam_tcb/pam_unix_acct.c (acct_shadow): Add pam handle parameter.
	(pam_sm_acct_mgmt): Pass pam handle to functions which now require
	it.  Replace _log_err with pam_syslog.	Replace _make_remark
	with pam_error and pam_info.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	Pass pam handle to functions which now require it.
	(pam_sm_authenticate): Replace _log_err with pam_syslog.
	* pam_tcb/pam_unix_passwd.c (PASSWD_TMP_FILE): Remove macro.
	(update_file): New function, based on update_passwd and
	(update_passwd, update_shadow): Rewrite using update_file.
	(get_nis_server, update_nis, do_setpass): Add pam handle
	(get_nis_server, update_nis, do_setpass, unix_approve_pass,
	unix_prelim, pam_sm_chauthtok): Pass pam handle to functions
	which now require it.  Replace _log_err with pam_syslog.
	Replace _make_remark with pam_error.
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Pass pam handle to functions which now
	require it.  Replace _log_err with pam_syslog.
	* pam_tcb/support.c (_log_err, converse, _make_remark): Remove
	no longer used functions.
	(_unix_fork, user_in_file, _unix_user_in_db,
	unix_blankpasswd_plain, _unix_blankpasswd, check_crypt,
	unix_verify_password_plain, crypt_wrapper_ra, crypt_wrapper,
	do_crypt, parse_opt, _set_ctrl): Add pam handle parameter.
	Pass pam handle to functions which now require it.
	Replace _log_err with pam_syslog.
	(_unix_read_password): Rewrite prompt handling to use pam_info
	and pam_prompt.
	* pam_tcb/support.h: Include "attribute.h" and "compat.h".
	(cmdline_opts): Add const qualifier to optname variable.
	(cb_func, _unix_user_in_db, _unix_fork, _set_ctrl,
	_unix_blankpasswd, _unix_read_password, crypt_wrapper, do_crypt):
	Update function prototypes.
	(_log_err, _make_remark): Remove prototypes of removed functions.

2005-09-12  Dmitry V. Levin  <ldv at>

	Implement OpenPAM build support.

	* Make.defs (CFLAGS): Remove -DLINUX_PAM.
	* pam_tcb/pam_unix_acct.c: Include <syslog.h>.
	Include <security/pam_appl.h> if and only if
	* pam_tcb/pam_unix_auth.c: Likewise.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* pam_tcb/pam_unix_sess.c: Likewise.
	* pam_tcb/support.c: Likewise.

	* pam_tcb/support.h: Define pam_item_t and pam_data_t.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Change type of
	item variable.
	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred):
	* pam_tcb/pam_unix_passwd.c (unix_prelim, pam_sm_chauthtok):
	* pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session): Likewise.
	* pam_tcb/support.c (converse, failures_cleanup,
	do_record_failure, _unix_read_password): Likewise.

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Protect code
	which uses PAM_CONV_AGAIN and PAM_INCOMPLETE with appropriate
	* pam_tcb/support.c (converse): Likewise.

2005-09-11  Dmitry V. Levin  <ldv at>

	* pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Do not override
	user prompt in calls to pam_get_user, recent PAM releases provide
	better default.
	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
	* pam_tcb/support.h: Remove PROMPT_USER.

	* pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Fix password
	string check to avoid potential NULL dereference.
	* pam_tcb/support.c (unix_verify_password_plain): Check password
	string to avoid potential NULL dereference.
	(unix_run_helper_binary): Remove redundant password string check.

	* progs/tcb_unconvert.c (copy_user_from_tcb): Add const qualifier
	to msg variable, to fix warning reported by "gcc -Wwrite-strings".

2005-08-23  Dmitry V. Levin  <ldv at>

	Package symlink and pam_pwdb(8) manual page link.

	* pam_tcb/pam_pwdb.8: New file.
	* Makefile, pam_tcb/Makefile, tcb.spec:
	Install and pam_pwdb.8.

	* tcb.spec: 0.9.9.

2005-08-19  Dmitry V. Levin  <ldv at>

	In the PAM module, implement "openlog" option and disable
	openlog/closelog calls for each logging function invocation
	by default.

	* pam_tcb/support.h: Rename UNIX_NOOPENLOG to UNIX_OPENLOG.
	* pam_tcb/support.c (_log_err): When UNIX_OPENLOG is not set,
	prefix log line with the module name.
	(bool_names): Add negate field.
	(unix_bools): Add "openlog" option.
	(parse_opt): Handle negate field.
	* pam_tcb/pam_tcb.8: Document "openlog" option.

2005-08-18  Dmitry V. Levin  <ldv at>

	Restrict list of global symbols exported by the library,
	NSS and PAM modules.

	* libs/Makefile: New variables: LIB_MAP and NSS_MAP.  Pass
	--version-script argument when linking shared library and the
	NSS module.
	* libs/ New file, version script for the NSS module.
	* libs/libtcb.c (ch_uid, ch_gid): Make static.
	* libs/ New file, version script for the library.

	* pam_tcb/Makefile: New variable: PAM_MAP.  Pass --version-script
	argument when linking the PAM module.
	* pam_tcb/ New file, version script for the PAM module.

2005-04-22  Dmitry V. Levin  <ldv at>

	Enhance multilib support.

	* Make.defs: New variables: SLIBDIR and LIBDIR.
	* libs/Makefile, pam_tcb/Makefile, tcb.spec: Use them.

	* libs/Makefile, pam_tcb/Makefile, misc/Makefile, progs/Makefile:
	Create all necessary directories in the beginning of install target.

2005-04-22  Dmitry V. Levin  <ldv at>

	Deal with compilation warnings generated by new gcc compiler.

	* include/attribute.h: New file.
	* libs/libtcb.c, pam_tcb/pam_unix_passwd.c,
	pam_tcb/pam_unix_auth.c, pam_tcb/support.c, pam_tcb/support.h:
	Include it.

	* include/attribute.h, pam_tcb/support.h (_log_err): Add
	workaround for those systems which lack support for __attribute__

	* pam_tcb/support.c (_log_err): Remove no longer needed
	__attribute__ directive.

	* libs/libtcb.c (alarm_catch), pam_tcb/pam_unix_auth.c
	(retval_cleanup), pam_tcb/pam_unix_passwd.c (update_nis),
	pam_tcb/support.c (data_cleanup):
	Mark unused arguments with "unused" attribute.

	* libs/libtcb.c (ch_uid, ch_gid, tcb_drop_priv_r),
	progs/tcb_chkpwd.c (is_two_strings),
	pam_tcb/support.c (_set_ctrl):
	Avoid comparison between signed and unsigned.

	* pam_tcb/support.c (unix_run_helper_binary,
	unix_verify_password_plain): Eliminate unused variable pamh.

	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt),
	pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred),
	pam_tcb/pam_unix_passwd.c (update_nis, do_setpass, unix_prelim,
	pam_sm_chauthtok), pam_tcb/pam_unix_sess.c (pam_sm_open_session,
	pam_sm_close_session), pam_tcb/support.c (converse,
	failures_cleanup, do_record_failure, _unix_read_password):
	Fix the strict aliasing issues.

	* tcb.spec:

2004-06-25  Dmitry V. Levin  <ldv at>

	* progs/tcb_unconvert.c (copy_from_tcb):
	Zero errno before each readdir(3) call.

	* tcb.spec:

2003-11-02  Solar Designer  <solar at>

	* pam_tcb/Makefile: Use -fPIC.

	* libs/Makefile, misc/Makefile, pam_tcb/Makefile, progs/Makefile,
	tcb.spec: Renamed FAKEROOT to DESTDIR.

	* tcb.spec:

2003-10-29  Solar Designer  <solar at>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_acct.c,
	progs/tcb_convert.c, progs/tcb_unconvert.c: Don't depend on
	*BSD-style asprintf(3) semantics as Ulrich has rejected that

	* README: New file, explains how tcb may be built on non-Owl.

	* tcb.spec:

2003-04-18  Solar Designer  <solar at>

	* misc/tcb.5, pam_tcb/pam_tcb.8, progs/tcb_convert.8: Use bold
	face for component names in .SH NAME, but avoid *roff commands
	to not confuse makewhatis and apropos(1).

	* LICENSE: Updated copyrights for year 2003.

	* tcb.spec:

2003-04-16  Dmitry V. Levin  <ldv at>

	* pam_tcb/support.c: Implemented proper fake salt creation
	to avoid a timing attack.

	* tcb.spec:

2002-10-31  Solar Designer  <solar at>

	* progs/tcb_chkpwd.c: Optimized unix_verify_password() a bit,
	from Dmitry V. Levin <ldv at>.

	* tcb.spec:

2002-10-30  Solar Designer  <solar at>

	* progs/tcb_convert.8: Noted that /etc/shadow backups need to be
	removed as well, with /etc/shadow- as the particular example.

	* tcb.spec:

2002-10-24  Solar Designer  <solar at>

	* libs/nss.c, libs/libtcb.c, pam_tcb/support.c,
	progs/tcb_chkpwd.c, progs/tcb_unconvert.c, misc/tcb.5: Cleaned
	up the recent changes.

	* tcb.spec: Set version to

2002-08-20  Rafal Wojtczuk  <nergal at>

	* libs/nss.c, progs/tcb_unconvert.c, misc/tcb.5: Merged
	enhancements which remove 32K users limit.

	* libs/libtcb.c, include/tcb.h: Added ENABLE_SETFSUGID.

	* pam_tcb/support.c, progs/tcb_chkpwd.c: Pass the username to
	the helper binary such that it can handle non-unique UIDs.

	* tcb.spec, libs/Makefile: Set version to 0.9.8.

2002-08-19  Solar Designer  <solar at>

	* tcb.spec, libs/Makefile: Moved symlink to /usr/lib
	(patch from Dmitry V. Levin).

2002-08-04  Solar Designer  <solar at>

	* pam_tcb/pam_tcb.5, pam_tcb/pam_unix.5: Moved these manual
	pages to section 8 (the files are now gone).

	* pam_tcb/pam_tcb.8, pam_tcb/pam_unix.8: New files, based on
	the section 5 manual pages with minor changes.

	* tcb.spec, misc/tcb.5, progs/tcb_convert.8, pam_tcb/Makefile:
	Updates to reflect the above change.

	* libs/Makefile: Use trailing slashes after directories with
	install commands.

2002-07-07  Solar Designer  <solar at>

	* pam_tcb/pam_unix_acct.c, pam_tcb/pam_unix_passwd.c: No
	longer let root enforced password changes (sp_lstchg == 0)
	take precedence over expired accounts (sp_expire).

2002-05-19  Solar Designer  <solar at>

	* Make.defs: Renamed SYSBIN to SBINDIR, define LIBEXECDIR.

	* tcb.spec, progs/Makefile, pam_tcb/Makefile,
	pam_tcb/pam_tcb.5, misc/tcb.5: Moved the chkpwd directory to

	* misc/Makefile: Deal with SBINDIR and LIBEXECDIR.

2001-11-28  Dmitry V. Levin  <ldv at>

	* pam_tcb/support.c: Replaced signal call with sigaction call.

	* pam_tcb/support.c: Fixed possible "dereferencing NULL" typo.

	* progs/tcb_chkpwd.c: Test also stdout for isatty.

	* progs/Makefile: Create relative symlink instead of absolute.

	* libs/nss.c: Fixed glibc-2.2.4 compilation warning.
	* pam_tcb/pam_unix_passwd.c: Likewise.
	* progs/tcb_unconvert.c: Likewise.