[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Jan 2021 16:39:21 +0100
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] tcb 1.2
Hi,
After 10 years since the previous release, we've just released version
1.2 of tcb, the alternative password shadowing scheme we had introduced
in Owl. tcb is currently in use in ALT Linux distributions and Mageia.
https://www.openwall.com/tcb/
The tcb package consists of three components: pam_tcb, libnss_tcb, and
libtcb. pam_tcb is a PAM module which supersedes pam_unix. It also
implements the tcb password shadowing scheme. The tcb scheme allows
many core system utilities (passwd(1) being the primary example) to
operate with lower privileges. libnss_tcb is the accompanying NSS
module. libtcb contains code shared by the PAM and NSS modules, and is
also to be used by user management tools.
Due to the password hashing API we had introduced in Owl having been
recently adopted by libxcrypt, you no longer need our crypt_blowfish
patched into glibc to compile and use our tcb. You can instead use
libxcrypt, which e.g. Fedora already does.
Changes in tcb 1.2 include libxcrypt and recent glibc support, i18n
support, and dropping of NIS/NIS+ support (which we consider obsolete).
These were implemented mostly by Dmitry V. Levin originally for ALT
Linux. The full change log since tcb 1.1 follows:
2021-01-11 Solar Designer <solar at owl.openwall.com>
* tcb.spec: 1.2.
* LICENSE: Update copyright years for Dmitry's recent contributions.
2020-07-16 Dmitry V. Levin <ldv at owl.openwall.com>
tcb_chkpwd: remove the last remaining piece of NIS+ support.
* progs/tcb_chkpwd.c (unix_verify_password): Remove special handling
of NIS+ password entries.
tcb_unconvert: print error diagnostics if the final chown fails.
* progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely
case of an error returned by the final chown invocation. This does
not affect the exit status of tcb_unconvert, though, since the final
chown does not affect the result of conversion.
2020-07-15 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: fix harmless -Wmissing-field-initializers compilation warning.
* pam_tcb/support.c (fake_pw): Explicitly initialize remaining members
of struct passwd with zero.
pam_tcb: fix harmless -Wpointer-sign compilation warnings.
* pam_tcb/support.h (struct pam_unix_params): Change the type of
"crypt_prefix" and "helper" fields from "const unsigned char *"
to "const char *".
2018-07-07 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier
to OpenBSD.
This does not affect builds with libxcrypt >= 4.1.0 that provides
CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro.
* pam_tcb/support.c (_set_ctrl)
[!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$"
with "$2b$".
* pam_tcb/pam_tcb.8 (prefix): Likewise.
2018-06-26 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: request automatic prefix if libcrypt implements it.
In libxcrypt, starting with version 4.0.0, supplying a null pointer
as the "prefix" argument to crypt_gensalt_ra function will cause it
to select the best available hash function.
Starting with version 4.1.0, libxcrypt provides
CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability
of this feature at build time.
* pam_tcb/support.c (_set_ctrl)
[CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When
pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb
default value.
* pam_tcb/pam_tcb.8: Document this.
pam_tcb: request automatic entropy if libcrypt implements it.
In libxcrypt, starting with version 4.0.0, supplying a null pointer
as the "rbytes" argument to crypt_gensalt_ra function will cause it
to acquire random bytes from the operating system.
Starting with version 4.1.0, libxcrypt provides
CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability
of this feature at build time.
* pam_tcb/support.c (do_crypt)
[CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra
with null "rbytes" and zero "nrbytes" arguments.
2018-06-19 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: sync password expiration messages with Linux-PAM-1.4.0.
* pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros.
(MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE):
Update messages.
(MESSAGE_WARN_EXPIRE): Add count argument, update messages.
* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace
MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of
MESSAGE_WARN_EXPIRE.
2018-05-31 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: use pam_get_authtok(3) instead of _unix_read_password.
This follows the change in pam_unix implemented in Linux-PAM
commit Linux-PAM-1.3.0~5.
pam_get_authtok(3) is available in OpenPAM since 2002-04-08
and in Linux-PAM since 2008-12-03.
As pam_get_authtok(3) does not support not_set_pass option,
the support for this not much useful option is dropped.
Instead pam_tcb gets a proper support for authtok_type= option.
* pam_tcb/pam_tcb.8 (not_set_pass): Remove.
(authtok_type): New option.
* pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro.
(pam_sm_authenticate): Use pam_get_authtok instead of
_unix_read_password.
* pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK):
Remove unused macros.
(do_setpass): Remove "fromwhat" argument.
(unix_prelim): Use pam_get_authtok instead of _unix_read_password.
(pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support.
* pam_tcb/support.c (data_cleanup, _unix_read_password): Remove
unused functions.
(unix_bools): Replace "not_set_pass" with "use_first_pass" and
"try_first_pass".
(parse_opt): Remove manual handling of "use_first_pass" and
"try_first_pass".
(_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in
the_cmdline_opts. Remove manual handling of "authtok_usage=".
* pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS,
UNIX_AUTHTOK_TYPE): New enum constants.
(PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2,
MESSAGE_MISTYPED): Remove unused macros.
(UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused
enum constants.
(struct pam_unix_params): Remove unused authtok_usage field.
(_unix_read_password): Remove unused prototype.
2018-05-22 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: drop obsolete NIS/NIS+ support.
The GNU C library, starting with version 2.26, deprecated libnsl.
As result, pam_tcb no longer builds with modern versions of glibc
configured without --enable-obsolete-nsl option.
While glibc recommends to use replacement implementations based on
TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether.
* pam_tcb/yppasswd.h: Remove.
* pam_tcb/yppasswd_xdr.c: Likewise.
* pam_tcb/Makefile: Do not link with -lnsl.
(LIBSRC): Remove yppasswd_xdr.c.
* pam_tcb/pam_tcb.8: Remove references to NIS+.
* pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support.
* pam_tcb/support.c: Likewise.
* pam_tcb/support.h: Likewise.
* progs/tcb_convert.8: Remove references to nis and nisplus.
2012-05-24 Dmitry V. Levin <ldv at owl.openwall.com>
pam_tcb: Implement i18n support.
Linux-PAM starting with release 0.81 implements i18n support using
gettext. This change extends i18n support to pam_tcb.
The i18n support is not enabled by default, define both ENABLE_NLS and
NLS_PACKAGE macros to enable it. When NLS_PACKAGE macro is defined to
"Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM.
* pam_tcb/support.h: Mark all messages for translation. Pass through
dgettext all messages marked for translation when both ENABLE_NLS and
NLS_PACKAGE macros are defined.
Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
