Date: Mon, 11 Jan 2021 16:39:21 +0100 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] tcb 1.2 Hi, After 10 years since the previous release, we've just released version 1.2 of tcb, the alternative password shadowing scheme we had introduced in Owl. tcb is currently in use in ALT Linux distributions and Mageia. https://www.openwall.com/tcb/ The tcb package consists of three components: pam_tcb, libnss_tcb, and libtcb. pam_tcb is a PAM module which supersedes pam_unix. It also implements the tcb password shadowing scheme. The tcb scheme allows many core system utilities (passwd(1) being the primary example) to operate with lower privileges. libnss_tcb is the accompanying NSS module. libtcb contains code shared by the PAM and NSS modules, and is also to be used by user management tools. Due to the password hashing API we had introduced in Owl having been recently adopted by libxcrypt, you no longer need our crypt_blowfish patched into glibc to compile and use our tcb. You can instead use libxcrypt, which e.g. Fedora already does. Changes in tcb 1.2 include libxcrypt and recent glibc support, i18n support, and dropping of NIS/NIS+ support (which we consider obsolete). These were implemented mostly by Dmitry V. Levin originally for ALT Linux. The full change log since tcb 1.1 follows: 2021-01-11 Solar Designer <solar at owl.openwall.com> * tcb.spec: 1.2. * LICENSE: Update copyright years for Dmitry's recent contributions. 2020-07-16 Dmitry V. Levin <ldv at owl.openwall.com> tcb_chkpwd: remove the last remaining piece of NIS+ support. * progs/tcb_chkpwd.c (unix_verify_password): Remove special handling of NIS+ password entries. tcb_unconvert: print error diagnostics if the final chown fails. * progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely case of an error returned by the final chown invocation. This does not affect the exit status of tcb_unconvert, though, since the final chown does not affect the result of conversion. 2020-07-15 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: fix harmless -Wmissing-field-initializers compilation warning. * pam_tcb/support.c (fake_pw): Explicitly initialize remaining members of struct passwd with zero. pam_tcb: fix harmless -Wpointer-sign compilation warnings. * pam_tcb/support.h (struct pam_unix_params): Change the type of "crypt_prefix" and "helper" fields from "const unsigned char *" to "const char *". 2018-07-07 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier to OpenBSD. This does not affect builds with libxcrypt >= 4.1.0 that provides CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro. * pam_tcb/support.c (_set_ctrl) [!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$" with "$2b$". * pam_tcb/pam_tcb.8 (prefix): Likewise. 2018-06-26 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: request automatic prefix if libcrypt implements it. In libxcrypt, starting with version 4.0.0, supplying a null pointer as the "prefix" argument to crypt_gensalt_ra function will cause it to select the best available hash function. Starting with version 4.1.0, libxcrypt provides CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability of this feature at build time. * pam_tcb/support.c (_set_ctrl) [CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb default value. * pam_tcb/pam_tcb.8: Document this. pam_tcb: request automatic entropy if libcrypt implements it. In libxcrypt, starting with version 4.0.0, supplying a null pointer as the "rbytes" argument to crypt_gensalt_ra function will cause it to acquire random bytes from the operating system. Starting with version 4.1.0, libxcrypt provides CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability of this feature at build time. * pam_tcb/support.c (do_crypt) [CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra with null "rbytes" and zero "nrbytes" arguments. 2018-06-19 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: sync password expiration messages with Linux-PAM-1.4.0. * pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros. (MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE): Update messages. (MESSAGE_WARN_EXPIRE): Add count argument, update messages. * pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of MESSAGE_WARN_EXPIRE. 2018-05-31 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: use pam_get_authtok(3) instead of _unix_read_password. This follows the change in pam_unix implemented in Linux-PAM commit Linux-PAM-1.3.0~5. pam_get_authtok(3) is available in OpenPAM since 2002-04-08 and in Linux-PAM since 2008-12-03. As pam_get_authtok(3) does not support not_set_pass option, the support for this not much useful option is dropped. Instead pam_tcb gets a proper support for authtok_type= option. * pam_tcb/pam_tcb.8 (not_set_pass): Remove. (authtok_type): New option. * pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro. (pam_sm_authenticate): Use pam_get_authtok instead of _unix_read_password. * pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK): Remove unused macros. (do_setpass): Remove "fromwhat" argument. (unix_prelim): Use pam_get_authtok instead of _unix_read_password. (pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support. * pam_tcb/support.c (data_cleanup, _unix_read_password): Remove unused functions. (unix_bools): Replace "not_set_pass" with "use_first_pass" and "try_first_pass". (parse_opt): Remove manual handling of "use_first_pass" and "try_first_pass". (_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in the_cmdline_opts. Remove manual handling of "authtok_usage=". * pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS, UNIX_AUTHTOK_TYPE): New enum constants. (PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2, MESSAGE_MISTYPED): Remove unused macros. (UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused enum constants. (struct pam_unix_params): Remove unused authtok_usage field. (_unix_read_password): Remove unused prototype. 2018-05-22 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: drop obsolete NIS/NIS+ support. The GNU C library, starting with version 2.26, deprecated libnsl. As result, pam_tcb no longer builds with modern versions of glibc configured without --enable-obsolete-nsl option. While glibc recommends to use replacement implementations based on TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether. * pam_tcb/yppasswd.h: Remove. * pam_tcb/yppasswd_xdr.c: Likewise. * pam_tcb/Makefile: Do not link with -lnsl. (LIBSRC): Remove yppasswd_xdr.c. * pam_tcb/pam_tcb.8: Remove references to NIS+. * pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support. * pam_tcb/support.c: Likewise. * pam_tcb/support.h: Likewise. * progs/tcb_convert.8: Remove references to nis and nisplus. 2012-05-24 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: Implement i18n support. Linux-PAM starting with release 0.81 implements i18n support using gettext. This change extends i18n support to pam_tcb. The i18n support is not enabled by default, define both ENABLE_NLS and NLS_PACKAGE macros to enable it. When NLS_PACKAGE macro is defined to "Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM. * pam_tcb/support.h: Mark all messages for translation. Pass through dgettext all messages marked for translation when both ENABLE_NLS and NLS_PACKAGE macros are defined. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.