Date: Wed, 5 Mar 2014 17:30:53 +0100 From: Daniel Cegiełka <daniel.cegielka@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Linux-PAM pam_unix/unix_chkpwd is fail-open 2014-03-04 21:54 GMT+01:00 Solar Designer <solar@...nwall.com>: > Someone might want to patch this issue in Linux-PAM. > > Alexander Hi Alexander, I know it's not realistic, but it may be easier to go to the OpenPAM. The code is much smaller and easier to audit (and tcb works with OpenPAM). OpenBSD is doing well with the BSD auth and gain the same as with PAM (plugins via /usr/libexec/auth/*). BSD auth is only three C core files: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/auth_subr.c?rev=1.39;content-type=text%2Fplain http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/authenticate.c?rev=1.20;content-type=text%2Fplain http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/login_cap.c?rev=1.29;content-type=text%2Fplain So it might be a better 'patch' than bloated Linux-PAM. btw. I'm thinking about porting BSD auth API to Linux/tcb. Daniel
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ