Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060703003807.GA16646@openwall.com>
Date: Mon, 3 Jul 2006 04:38:07 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sun, Jul 02, 2006 at 10:11:37AM -0600, Vincent Danen wrote:
> I suppose the passwd
> program would make sure the two entered passwords are identical and then
> hand that password off to pam_tcb).

That's not how things work.

The PAM conversation function provided by the passwd program receives
multiple echo-off input prompts from the PAM stack.  It does not know
which of those prompts are for the new password, nor does it care.  In
fact, for a text terminal interface, the passwd program may provide the
standard PAM conversation function from libpam_misc rather than bother
with its own implementation.

With the configuration you had posted, the two new password prompts
originate from pam_passwdqc.  If you remove pam_passwdqc from the stack
and also remove the use_authtok option from pam_tcb, then the prompts
will originate from pam_tcb.

As it relates to the segfault you're seeing, I think it'd be most
straightforward to debug it rather than proceed to theorize as to its
possible cause.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.