Re: [owl-users] tcb and friends with shadow-utils 4.0.12

From: Solar Designer (solar@private)
Date: Sat Jul 01 2006 - 23:26:06 PDT


On Sat, Jul 01, 2006 at 11:13:15PM -0600, Vincent Danen wrote:
> ALT doesn't use SimplePAMApps' passwd program, but has his own (had to
> poke around to find it).

You're right.  Sorry for the confusion.

OK, if there's a problem compiling SimplePAMApps' passwd with gcc 4.1+,
we'll find that out very soon and fix it.

> Now, I just want to clarify something and I'm far from a pam expert
> here...  but when you have /etc/pam.d/passwd and it's going through the
> stack (ie. pam_passwdqc and pam_tcb) for the password section, is
> pam_tcb modifying the shadow file or is the passwd program?

pam_tcb does that.  That's why you have to tell it to write_to=tcb.

> My thinking is that pam_tcb tells passwd that it has the right guy...
> either I authenticate with my password and or I don't, so passwd is
> looking for a PAM_SUCCESS to come back to it, and when that's done it
> will write the password.  So I'm thinking that passwd actually does the
> writing and pam_tcb doesn't actually touch the shadow or tcb files,
> correct?

No.  The passwd program should not even know where the passwords or
password hashes are stored; it is just a tiny wrapper around PAM calls.

Besides, the PAM password changing stack may also be invoked from login
services to force changing of expired passwords.  The passwd program is
not involved in this at all.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments



This archive was generated by hypermail 2.1.3 : Sat Jul 01 2006 - 23:28:09 PDT