Date: Sun, 2 Jul 2006 10:26:06 +0400 From: Solar Designer <solar@...nwall.com> To: owl-users@...ts.openwall.com Subject: Re: tcb and friends with shadow-utils 4.0.12 On Sat, Jul 01, 2006 at 11:13:15PM -0600, Vincent Danen wrote: > ALT doesn't use SimplePAMApps' passwd program, but has his own (had to > poke around to find it). You're right. Sorry for the confusion. OK, if there's a problem compiling SimplePAMApps' passwd with gcc 4.1+, we'll find that out very soon and fix it. > Now, I just want to clarify something and I'm far from a pam expert > here... but when you have /etc/pam.d/passwd and it's going through the > stack (ie. pam_passwdqc and pam_tcb) for the password section, is > pam_tcb modifying the shadow file or is the passwd program? pam_tcb does that. That's why you have to tell it to write_to=tcb. > My thinking is that pam_tcb tells passwd that it has the right guy... > either I authenticate with my password and or I don't, so passwd is > looking for a PAM_SUCCESS to come back to it, and when that's done it > will write the password. So I'm thinking that passwd actually does the > writing and pam_tcb doesn't actually touch the shadow or tcb files, > correct? No. The passwd program should not even know where the passwords or password hashes are stored; it is just a tiny wrapper around PAM calls. Besides, the PAM password changing stack may also be invoked from login services to force changing of expired passwords. The passwd program is not involved in this at all. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.