Re: [owl-users] tcb and friends with shadow-utils 4.0.12

From: Solar Designer (solar@private)
Date: Sun Jul 02 2006 - 17:38:07 PDT


On Sun, Jul 02, 2006 at 10:11:37AM -0600, Vincent Danen wrote:
> I suppose the passwd
> program would make sure the two entered passwords are identical and then
> hand that password off to pam_tcb).

That's not how things work.

The PAM conversation function provided by the passwd program receives
multiple echo-off input prompts from the PAM stack.  It does not know
which of those prompts are for the new password, nor does it care.  In
fact, for a text terminal interface, the passwd program may provide the
standard PAM conversation function from libpam_misc rather than bother
with its own implementation.

With the configuration you had posted, the two new password prompts
originate from pam_passwdqc.  If you remove pam_passwdqc from the stack
and also remove the use_authtok option from pam_tcb, then the prompts
will originate from pam_tcb.

As it relates to the segfault you're seeing, I think it'd be most
straightforward to debug it rather than proceed to theorize as to its
possible cause.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments



This archive was generated by hypermail 2.1.3 : Sun Jul 02 2006 - 18:06:09 PDT