Password authentication for web and mobile apps (e-book)

tcb - the alternative to /etc/shadow

The tcb package contains core components of our tcb suite implementing the alternative password shadowing scheme on Owl. It is being made available separately from Owl primarily for use by other distributions. Note that to compile and use this you either need recent libxcrypt (which adopted the password hashing API we had introduced in Owl) or our crypt_blowfish patched into glibc (which is how we had introduced that API originally).

The package consists of three components: pam_tcb, libnss_tcb, and libtcb.

pam_tcb is a PAM module which supersedes pam_unix. It also implements the tcb password shadowing scheme. The tcb scheme allows many core system utilities (passwd(1) being the primary example) to operate with lower privileges. libnss_tcb is the accompanying NSS module. libtcb contains code shared by the PAM and NSS modules and is also used by user management tools on Owl due to our shadow suite patches, which live on in ALT Linux.

Please refer to our presentation slides on Owl, in particular starting with this slide, for more information.

Download (release notes):

This and older revisions of tcb are also available from the Openwall file archive. The source code of the tcb suite can be browsed on GitHub or via CVSweb. You can also check out the change log.

Follow this link for information on verifying the signatures.

The tcb suite has been designed and implemented primarily by Rafal Wojtczuk with significant contributions from Solar Designer and Dmitry V. Levin. The program structure of pam_tcb and tcb_chkpwd has been influenced by that of Linux-PAM pam_unix.

tcb is fully integrated into Owl, distributions by ALT Linux team, and Mandriva Linux 2009 and up (and later in Mageia). It is available for Gentoo Linux.
/etc/tcb is natively supported in musl - a lightweight libc for Linux.

The tcb suite is a registered project with Open Hub.

You might want to check out these other PAM modules.

Quick Comment:

286121