Sudarshan Soma | 2 Sep 08:35 2008

pam_tally + flock

Hi All,
How does pam_tally keep the its database (user invalid attempts count,
timeout,..)in a consistent way from several processes(telnet, ssh,..)
attempting to update it.
It doesnt seem to be using flock before updating. Please let me know
if i have missed something

Vasudeva R | 3 Sep 17:04 2008

dictpath usage with pam_cracklib (pam version is 0.77)


Can anybody explain how this dictpath works with pam-cracklib in 0.77 version ?

option : dictpath=/path/to/dict


Pam-list mailing list
Pam-list <at>
Jozsef Kadlecsik | 5 Sep 14:01 2008

[PATCH] Fix libxcrypt support


In Linux-PAM-1.0.2 libxcrypt the preferred crypto library. However, the 
source files include 'crypt.h' instead of 'xcrypt.h'. In consequence, 
crypt from libcrypt is used and blowfish, sha256, sha512 support is lost 
if the system uses glibc < 2.7.

I also noticed that blowfish is not supported as encryption algorythm for 
new passwords in Linux-PAM. Is there any specific reason for that? Patch 
to add full blowfish support were welcomed? ;-)

diff -ru Linux-PAM-1.0.2-orig/ Linux-PAM-1.0.2-xcrypt/
--- Linux-PAM-1.0.2-orig/	2008-08-29 10:13:38.000000000 +0200
+++ Linux-PAM-1.0.2-xcrypt/	2008-09-05 12:54:30.000000000 +0200
 <at>  <at>  -430,7 +430,7  <at>  <at> 
 AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h
termio.h unistd.h sys/fsuid.h inittypes.h)

+AC_CHECK_HEADERS(xcrypt.h crypt.h)

 dnl For module/pam_lastlog
 AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
diff -ru Linux-PAM-1.0.2-orig/modules/pam_cracklib/pam_cracklib.c Linux-PAM-1.0.2-xcrypt/modules/pam_cracklib/pam_cracklib.c
--- Linux-PAM-1.0.2-orig/modules/pam_cracklib/pam_cracklib.c	2008-03-05 21:21:38.000000000 +0100
+++ Linux-PAM-1.0.2-xcrypt/modules/pam_cracklib/pam_cracklib.c	2008-09-05 13:00:29.000000000 +0200
 <at>  <at>  -37,7 +37,9  <at>  <at> 
 #include "config.h"

 #include <stdio.h>
-#ifdef HAVE_CRYPT_H
+# include <xcrypt.h>
+#elif defined(HAVE_CRYPT_H)
 # include <crypt.h>
 #include <unistd.h>
diff -ru Linux-PAM-1.0.2-orig/modules/pam_unix/bigcrypt.c Linux-PAM-1.0.2-xcrypt/modules/pam_unix/bigcrypt.c
--- Linux-PAM-1.0.2-orig/modules/pam_unix/bigcrypt.c	2008-01-24 17:42:59.000000000 +0100
+++ Linux-PAM-1.0.2-xcrypt/modules/pam_unix/bigcrypt.c	2008-09-05 12:59:02.000000000 +0200
 <at>  <at>  -29,7 +29,9  <at>  <at> 
 #include <string.h>
 #include <stdlib.h>
 #include <security/_pam_macros.h>
-#ifdef HAVE_CRYPT_H
+#include <xcrypt.h>
+#elif defined(HAVE_CRYPT_H)
 #include <crypt.h>

diff -ru Linux-PAM-1.0.2-orig/modules/pam_unix/passverify.c Linux-PAM-1.0.2-xcrypt/modules/pam_unix/passverify.c
--- Linux-PAM-1.0.2-orig/modules/pam_unix/passverify.c	2008-01-28 14:20:29.000000000 +0100
+++ Linux-PAM-1.0.2-xcrypt/modules/pam_unix/passverify.c	2008-09-05 12:59:40.000000000 +0200
 <at>  <at>  -19,7 +19,9  <at>  <at> 
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <fcntl.h>
-#ifdef HAVE_CRYPT_H
+#include <xcrypt.h>
+#elif defined(HAVE_CRYPT_H)
 #include <crypt.h>

diff -ru Linux-PAM-1.0.2-orig/modules/pam_userdb/pam_userdb.c Linux-PAM-1.0.2-xcrypt/modules/pam_userdb/pam_userdb.c
--- Linux-PAM-1.0.2-orig/modules/pam_userdb/pam_userdb.c	2006-06-17 18:44:58.000000000 +0200
+++ Linux-PAM-1.0.2-xcrypt/modules/pam_userdb/pam_userdb.c	2008-09-05 12:58:11.000000000 +0200
 <at>  <at>  -17,7 +17,9  <at>  <at> 
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <errno.h>
-#ifdef HAVE_CRYPT_H
+#include <xcrypt.h>
+#elif defined(HAVE_CRYPT_H)
 #include <crypt.h>

Best regards,
E-mail  : kadlec <at>, kadlec <at>
PGP key :
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
Sudarshan Soma | 15 Sep 12:40 2008

PAM module sequence

Hi All,
Iam trying to authenticate users based on sequence as below: Iam
planning to use PAM for that. To achieve the below sequence i plan to
use pam_set_data and pam_get_data.

1.  Try Remote Authentication PAM module (This module contacts remote
server for auth information)
The above fails with following reasons:
                  -- remote server not reachable
                  -- some fatal error
                  -- authentication failed....
                  (use pam_set_data  to set the error code)
2. Try with (This module will track number of invalid
login attempts by particular user)
           -- here i increment invalid login count per user only if
the above module fails with authentication failed error(by

Please let me know if there is a better way to do the above. Any
comments/links  really helpful.

Best Regards,
Sudarshan Soma | 18 Sep 10:11 2008

Authentication flow

Hi All,
I have three authentication modules
-- (for remote authentication)
-- pam_unix ( unix local authentication)
-- pam_opie (challenge/response)
and other accounting modules such as pam_abl, which does user lockout/iplocking.

I would like to choose a better authentication for access to my service:

These are my requirements/clarifications:

--  An intruder should not know how his authentication has failed(due
to user locking or IP address locking or  wrong passwd for remote
authenticaon or for local authenticaion ),  but only SecurityAdmin can
see them in logs. Intruder just gets error as LOGIN failed.
-- While logging to the service, should i allow user to specify
authentication type  such as challenge-response or local, if Radius
servers are not reachable. Will this cause any kind of break in secure
authentication process or does ti contrast with above.
I am thinking of this to help legitimate users to get logged into the service

I am kind of lost here, Can anyone please advise the better approach her.

Many Thanks
Sudarshan Soma | 18 Sep 10:16 2008

passing data from PAM module to application

Hi All,
My PAM application uses remote authentication module for authenticating users from remote servers. There
can be several remote servers. In this case, can any one please
suggest me the best way to gather information on several remote
servers such as
-- server reachability, (kind of returning  array saying server 1 is
reachable, server 2 is unreachable)
--  do they run radius service

I am trying to use pam_get_env pam_set_env for the above. Please
advise, if this is not the proper way.

I looked at pam_set_data, but i think this cant be used in PAM application.

Best Regards,
Louis-Dominique Dubeau | 19 Sep 09:40 2008

Re: suggestion: decouple unshare from mounting in pam_namespace

Ok, following up on an old discussion (see below).  I've submitted a patch to 
the tracker to create a new module called pam_unshare which does what we 
discussed here.  I did not have our discussion at hand when I sent the patch 
to the tracker so if I need to send a tarball instead of a patch please let me 
know.  Or if there is anything else I should do, let me know.  I want as much 
as possible to ensure a speedy inclusion of this patch to the mainline PAM.  
I'm actively using pam_unshare right now so I'd rather see it be a standard 
part of my distro rather than have to compile my own hacked PAM packages.


On Saturday 24 May 2008 02:31:05 Tomas Mraz wrote:
> On Fri, 2008-05-23 at 13:50 -0400, Louis-Dominique Dubeau wrote:
> > ´╗┐On Fri, 2008-05-23 at 10:24 -0400, Louis-Dominique Dubeau wrote:
> > > It makes sense somewhat. But with the KISS principle in mind - when you
> > > want just the unshare, why not create a new module called pam_unshare,
> > > which would just call unshare and not do anything else? I think we
> > > could accept such module into Linux-PAM.
> >
> > I have no problem with this approach.  I just do not know pam well
> > enough to know whether this would have unforeseen consequences or not.
> >
> > What needs to be done to ensure the presence of pam_unshare in a future
> > version of pam?
> Just use some existing module as a template - for example remove all
> unnecessary code from pam_namespace + rename all the source files. Also
> rewrite the documentation. Then attach a tarball with the module into
> the issue tracker on PAM page.
Lynn York | 19 Sep 18:56 2008

Authentication problems with ldap



   I am having some issue with PAM and authentication with an openldap proxy to AD.  When I query the user I am able to get back the userPassword attribute and everything looks to be correct.  I can “su username” and it works properly, but when I attempt to “ssh user <at> localhost” it will not accept the password.  The password is stored as {crypt}.  Any help or suggestions would be greatly appreciated.




Attachment (smime.p7s): application/x-pkcs7-signature, 4653 bytes
Pam-list mailing list
Pam-list <at>
Kenneth Geisshirt | 20 Sep 10:19 2008

Re: Authentication problems with ldap

Lynn York wrote:
>    I am having some issue with PAM and authentication with an openldap proxy
> to AD.  

Please send your configuration files. Otherwise it is a bit hard to help

Lynn York | 22 Sep 14:41 2008

RE: Authentication problems with ldap

Below are my config files:

# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

account     required
account     sufficient uid < 500 quiet
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond
quiet use_uid
session     required
# Host to connect to
#port 389
port 636

debug 0
logdir /var/log/pam_ldap

base dc=ldaptest,dc=local
ldap_version 3

#binddn bind <at> ldaptest.local

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw testing
scope sub

timelimit 6 
bind_timelimit 3

idle_timeout 90

# nss_ldap configuration parameter
bind_policy soft

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass posixGroup group
#nss_map_objectclass account user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute userPassword unixUserPassword
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_attribute uniqueMember member
#nss_map_attribute gecos cn

pam_login_attribute uid
pam_lookup_policy yes

# Access controls via ldap
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login. 
#pam_check_host_attr no

#pam_check_service_attr no

#pam_min_uid 1000

# Do not hash the password at all, assume the directory is doing this
pam_password ad

# nss_ldap configurations
nss_base_passwd         cn=users,dc=ldaptest,dc=local?sub
#ssl no
# openldap SSL bits
ssl start_tls
tls_cacertfile /etc/openldap/certs/cert.crt
tls_ciphers HIGH

SLAPD config:

include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema

loglevel 1 2 4 8 16 32 128 256 16384
password-hash   {CRYPT}

pidfile         /var/run/openldap/
argsfile        /var/run/openldap/slapd.args

TLSCipherSuite HIGH:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateFile /usr/local/openldap/etc/openldap/certs/cert.crt
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/certs/cert.key
security ssf=1 update_ssf=128 simple_bind=128 update_tls=128 tls=128

database                bdb

suffix                  "dc=ldaptest,dc=local"
rootdn                  "cn=manager,dc=ldaptest,dc=local"
rootpw                  {SSHA}uxhIdkPFWVYdBMaHg8m0O+5Y7cchdxnG

chase-referrals         no
rebind-as-user          yes
directory               "/usr/local/openldap/var/openldap-data"

overlay rwm
rwm-map objectclass  user       posixAccount
rwm-map attribute    sAMAccountname     uid
rwm-map attribute    givenName          cn
rwm-map attribute    unixHomeDirectory  homeDirectory
rwm-map attribute    unixUserPassword   UserPassword

access to attrs=userPassword
        by dn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"
        by self read
        by * auth

access to * by * read

syncrepl rid=1
         retry="60 3 300 10"
         binddn="cn=Bind User,cn=Users,dc=ldaptest,dc=local"


-----Original Message-----
From: pam-list-bounces <at> [mailto:pam-list-bounces <at>] On
Behalf Of Kenneth Geisshirt
Sent: Saturday, September 20, 2008 4:19 AM
To: Pluggable Authentication Modules
Subject: Re: Authentication problems with ldap

Lynn York wrote:
>    I am having some issue with PAM and authentication with an openldap
> to AD.  

Please send your configuration files. Otherwise it is a bit hard to help


Pam-list mailing list
Pam-list <at>

Attachment (smime.p7s): application/x-pkcs7-signature, 4653 bytes
Pam-list mailing list
Pam-list <at>