Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Jul 2006 10:26:06 +0400
From: Solar Designer <>
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sat, Jul 01, 2006 at 11:13:15PM -0600, Vincent Danen wrote:
> ALT doesn't use SimplePAMApps' passwd program, but has his own (had to
> poke around to find it).

You're right.  Sorry for the confusion.

OK, if there's a problem compiling SimplePAMApps' passwd with gcc 4.1+,
we'll find that out very soon and fix it.

> Now, I just want to clarify something and I'm far from a pam expert
> here...  but when you have /etc/pam.d/passwd and it's going through the
> stack (ie. pam_passwdqc and pam_tcb) for the password section, is
> pam_tcb modifying the shadow file or is the passwd program?

pam_tcb does that.  That's why you have to tell it to write_to=tcb.

> My thinking is that pam_tcb tells passwd that it has the right guy...
> either I authenticate with my password and or I don't, so passwd is
> looking for a PAM_SUCCESS to come back to it, and when that's done it
> will write the password.  So I'm thinking that passwd actually does the
> writing and pam_tcb doesn't actually touch the shadow or tcb files,
> correct?

No.  The passwd program should not even know where the passwords or
password hashes are stored; it is just a tiny wrapper around PAM calls.

Besides, the PAM password changing stack may also be invoked from login
services to force changing of expired passwords.  The passwd program is
not involved in this at all.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.