I'm working towards integrating tcb fully into Annvix here and am
running into a few issues. I had to forwardport quite a few patches
from owl cvs because we're using 4.0.12... I *think* I did a sufficient
job. Everything compiles and once I've got everything moved over onto a
test virtual machine, it all installs, and authentication seems to work
ok (with ssh login, local login, and sudo).
The problem I'm having is with passwd; it's segfaulting on me when I try
to change a password. I've got my /etc/pam.d/system-auth nearly
identical to the openwall one (in Owl/packages/pam/system-auth.pam):
[root@ragtest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# $Id$
auth required pam_env.so
auth required pam_tcb.so shadow fork nullok prefix=$2a$ count=8
#auth required pam_deny.so
account required pam_tcb.so shadow fork
password required pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password required pam_tcb.so use_authtok shadow write_to=tcb fork nullok prefix=$2a$ count=8
#password required pam_deny.so
session required pam_limits.so
session required pam_tcb.so
A few things I noticed, and I was originally trying to stick pam_tcb in
there as a replacement for pam_unix, which is why I kept the last
pam_deny.so call in there. Of course, with pam_unix this works ok, but
with pam_tcb it doesn't, so I had to remove it. Does pam_tcb negate the
need for pam_deny?
Anyways, my big problem here is with passwd segfaulting when I try to
change my password (I haven't tried anything else that the shadow-utils
tcb patches touch yet).
I've changed perms, so that /etc/shadow is owned root:shadow and mode
0440. I've used tcb_convert to enable my tcb filesl my /etc/tcb files
are owned [user]:auth, and the directories are all sgid auth. My own
shadow file (/etc/tcb/vdanen) is owned vdanen:auth and is 640.
I'm wondering if I missed a patch to passwd perhaps? We use a separate
passwd package that provides just passwd itself (it's the freebsd passwd
with pam support). I noticed passwd isn't in the owl shadow-utils
package (in fact, I'm at a loss as to which package in openwall is
providing passwd since I don't see it it in util-linux either).
It's good that auth works... it means I'm heading in the right
direction. Hmmm... wait.. looks like it's wanting to use /etc/shadow
regardless of the USE_TCB setting in login.defs (unless it requires the
shadow file to exist still?).
Hmmm... do I need to put tcb into the shadow line in /etc/nsswitch.conf?
Ok, looks like I need to have "files tcb bla..." in the nsswitch.conf;
then I don't need /etc/shadow (or, rather, it tells me it's properly
getting it from the tcb files).
Despite that change (not that I thought it would really help), I still
can't change my password. /usr/bin/passwd is sgid shadow.
Oh, all I did was add three groups: auth, shadow, and chkpwd (gid's 27,
28, and 29 respectively). Are any users required to operate things? I
didn't notice anything looking through the slides and spec files.
I think I'm half-way there, which is really cool, but I need some
assistance getting the rest of the way. For reference, I'm using:
shadow-utils 4.0.12
passwd 0.71
util-linux 2.12r (although this is unpatched; just for reference)
pam 0.99.3.0
The following are the patches I took and rediffed from the openwall
shadow-utils package:
Patch4: shadow-4.0.12-avx-man.patch
Patch6: shadow-4.0.12-avx-crypt_gensalt.patch
Patch7: shadow-4.0.12-avx-usergroupname_max.patch
Patch8: shadow-4.0.12-avx-tcb.patch
I looked through the other shadow-utils patches and they didn't look to
be tcb-related so I didn't pursue those further.
Any ideas at all would be appreciated. Thanks much.
--
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}
mysql> SELECT * FROM users WHERE clue > 0;
Empty set (0.00sec)
:: Annvix - Secure Linux Server: http://annvix.org/ ::
This archive was generated by hypermail 2.1.3 : Sat Jul 01 2006 - 13:26:55 PDT