Re: PAM and NSS for clusters

Hi,

On Mon, Nov 17, Jozsef Kadlecsik wrote:

> - By default Linux PAM links with libxcrypt instead of libcrypt from 
>   glibc. However the source files include crypt.h and not xcrypt.h, thus 
>   the functions from libcrypt is used in spite of linking with libxcrypt. 

This one is now applied to the Linux-PAM CVS.

> - Simplify source when a function is used both in the pam_unix module and 
>   in the helper binaries. 

Will be now applied.

> - Linux PAM can check blowfish encrypted passwords (if the crypto library 
>   supports it), however it did not support new passwords to be encrypted 
>   by blowfish. One patch adds full blowfish support (and "blowfish" 
>   keyword) to pam_unix.

Will be now applied.

> -  <at> include keyword support (for Debian/Ubuntu).

There were already some discussions in the past which leads to
the introduction of the current include statement. So we will not
take this.

Thank you for your patches,

Re: PAM and NSS for clusters

Hi,

On Mon, 1 Dec 2008, Thorsten Kukuk wrote:

> On Mon, Nov 17, Jozsef Kadlecsik wrote:
> 
> > - By default Linux PAM links with libxcrypt instead of libcrypt from 
> >   glibc. However the source files include crypt.h and not xcrypt.h, thus 
> >   the functions from libcrypt is used in spite of linking with libxcrypt. 
> 
> This one is now applied to the Linux-PAM CVS.
> 
> > - Simplify source when a function is used both in the pam_unix module and 
> >   in the helper binaries. 
> 
> Will be now applied.
> 
> > - Linux PAM can check blowfish encrypted passwords (if the crypto library 
> >   supports it), however it did not support new passwords to be encrypted 
> >   by blowfish. One patch adds full blowfish support (and "blowfish" 
> >   keyword) to pam_unix.
> 
> Will be now applied.
>  
> > -  <at> include keyword support (for Debian/Ubuntu).
> 
> There were already some discussions in the past which leads to
> the introduction of the current include statement. So we will not
> take this.

PAM-0.79 and PAM-0.99

Hello, every on in pam-list.
	
i have a question to ask, it is about auth of PAM.

there are two OSs on my hand, one is old FC4_2.6.17 with PAM-0.79-96 and the other is CentOS5.2_2.6.18 with PAM-0.99.

i started 2 daemons on the two different OSs for authenticating users with their passwords (one daemon on
each OS).	 obviously, the auth MUST be supported by Linux-PAM . 

my pam-conf is "/etc/pam.d/mybase", it is listed below:
----
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
----

i started a auth-request from the third machine to the two daemons with a non-exist username, but the
results from the two daemons are different:
1) result from the daemon running on FC4 shows us that the password is invalid.
2) result from the daemon running on CentOS shows us that the username is invalid.

i think the result from CentOS makes sense. so i diff-ed the source code of PAM-0.79 and PAM-0.99, found  may
be there is a bug in _unix_verify_password(), unix_chkpwd.c of PAM-0.79.   if it is a bug, it was fixed in PAM-0.99.
----
	if (pwd == NULL || salt == NULL) {
		_log_err(LOG_ALERT, "check pass; user unknown");
		p = NULL;
		return retval; /* once came here, "UNIX_FAILED" will be returned, but i think "PAM_USER_UNKNOWN"
should be returned just like PAM-0.99 */

Linux-PAM 1.0.3 released

Hello,

Linux-PAM 1.0.3 is released. There are only two small changes:

* fix building with current toolchain
* pam_time: fix checl of correct string length
* pam_keyinit: save old euid to suid to be able to restore it
* pam_tally: Open faillog read only, close file descriptor

  Thorsten

--

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

[pam_ssh] Requiring a per-user login-keys.d directory

I am in the process of taking over maintenance of the Debian package
libpam-ssh [1] which provides the PAM module pam_ssh [2].  In short,
pam_ssh authenticates the user by decrypting SSH keys using the
user's password.

During a discussion in Debian it was suggested that pam_ssh should use
the directory $HOME/.ssh/login-keys.d as a place to soft-link to the
keys that should be used in the authentication process, the rationale
being that users then have full control over how their keys are used
during login.

Do you see any problems with this approach?
--

-- 
                                                    Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?

[1] http://packages.qa.debian.org/libp/libpam-ssh.html
[2] http://pam-ssh.sourceforge.net

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Linux-PAM 1.0.90 aka 1.1-Beta1 released

Hello,

I'm happy to announce that Linux-PAM 1.0.90 is released.
This is the first beta on the way to Linux-PAM 1.1.

There are a lot of changes and new modules. For some, the
behavior has changed, pam_tally is now obsolete and pam_tally2
is the successor. So please read the NEWS file and documentation
carefully.

A list of changes:

* Supply hostname of the machine to netgroup match call in pam_access
* Make pam_namespace to work safe on child directories of parent directories
  owned by users
* Redefine LOCAL keyword of pam_access configuration file
* Add support for try_first_pass and use_first_pass to pam_cracklib
* Print informative messages for rejected login and add silent and
  no_log_info options to pam_tally
* Add support for passing PAM_AUTHTOK to stdin of helpers from pam_exec
* New password quality tests in pam_cracklib
* New options for pam_lastlog to show last failed login attempt and
  to disable lastlog update
* New pam_pwhistory module to store last used passwords
* New pam_tally2 module similar to pam_tally with wordsize independent
  tally data format
* Make libpam not log missing module if its type is prepended with '-'
* New pam_timestamp module for authentication based on recent successful
  login.