Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 3 Jul 2006 04:38:07 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sun, Jul 02, 2006 at 10:11:37AM -0600, Vincent Danen wrote:
> I suppose the passwd
> program would make sure the two entered passwords are identical and then
> hand that password off to pam_tcb).

That's not how things work.

The PAM conversation function provided by the passwd program receives
multiple echo-off input prompts from the PAM stack.  It does not know
which of those prompts are for the new password, nor does it care.  In
fact, for a text terminal interface, the passwd program may provide the
standard PAM conversation function from libpam_misc rather than bother
with its own implementation.

With the configuration you had posted, the two new password prompts
originate from pam_passwdqc.  If you remove pam_passwdqc from the stack
and also remove the use_authtok option from pam_tcb, then the prompts
will originate from pam_tcb.

As it relates to the segfault you're seeing, I think it'd be most
straightforward to debug it rather than proceed to theorize as to its
possible cause.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux