I tried to setup tcb shadow replacement on my system, but it looks like shadow version in portage does not support it. The ebuild should apply the following patch: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-tcb.diff?rev=1.5;content-type=text%2Fplain It should also install files with following permissions (commands taken from man tcb_convert): chown root:shadow /usr/bin/passwd /etc/pam.d/passwd chmod 2711 /usr/bin/passwd chmod 640 /etc/pam.d/passwd
Additional info from logs: Jan 11 16:20:01 [cron] PAM unable to dlopen(/lib64/security/pam_tcb.so) Jan 11 16:20:01 [cron] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbo l: crypt_gensalt_ra] Jan 11 16:20:01 [cron] PAM adding faulty module: /lib64/security/pam_tcb.so Jan 11 16:20:01 [cron] Module is unknown Jan 11 16:22:50 [su] PAM unable to dlopen(/lib64/security/pam_tcb.so) Jan 11 16:22:50 [su] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbol: crypt_gensalt_ra] Jan 11 16:22:50 [su] PAM adding faulty module: /lib64/security/pam_tcb.so Jan 11 16:22:50 [su] pam_authenticate: Authentication failure Jan 11 16:22:50 [su] FAILED su for root by ******* Jan 11 16:22:50 [su] unknown configuration item `USE_TCB' Jan 11 16:30:01 [cron] PAM unable to dlopen(/lib64/security/pam_tcb.so) Jan 11 16:30:01 [cron] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbo l: crypt_gensalt_ra] Jan 11 16:30:01 [cron] PAM adding faulty module: /lib64/security/pam_tcb.so Jan 11 16:30:01 [cron] Module is unknown This line may be not easy to spot but is important IMO, so I include it below again: Jan 11 16:22:50 [su] unknown configuration item `USE_TCB'
Bump. While experimenting with sys-apps/tcb this afternoon, I ran into the same problem with unresolved symbols (only difference being a 32-bit environment). -- sshd[x]: PAM unable to dlopen(/lib/security/pam_tcb.so) sshd[x]: PAM [dlerror: /lib/security/pam_tcb.so: undefined symbol: crypt_gensalt_ra] sshd[x]: PAM adding faulty module: /lib/security/pam_tcb.so -- If patches to glibc is required, they may be able to be borrowed from SuSE, as http://www.openwall.com/crypt/ says SuSE has crypt_blowfish support.
Created attachment 131566 [details] Overlay portage that uses latest openwall tcb and links against libxcrypt This is an overlay for TCB which uses the latest openwall TCB. It modifies pam_tcb.so to link against libxcrypt (which is masked, so needs to be unmasked. it should probably also be listed as a dependency..). It doesn't give unresolved symbols messages when loaded now. As for working.. well I need to do more testing (hopefully today).
After some testing and messing around with /etc/pam.d/system-auth, I have got tcb working reasonably correctly from what I can see.
tcb is now removed from tree. Please use hardened-shadow instead.
