Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 161564

Summary: sys-apps/shadow does not support tcb
Product: Gentoo Linux Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED OBSOLETE    
Severity: enhancement CC: andrewg
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/tcb/
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Overlay portage that uses latest openwall tcb and links against libxcrypt

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2007-01-11 15:37:35 UTC 
I tried to setup tcb shadow replacement on my system, but it looks like shadow version in portage does not support it.

The ebuild should apply the following patch: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-tcb.diff?rev=1.5;content-type=text%2Fplain

It should also install files with following permissions (commands taken from man tcb_convert):
chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
chmod 2711 /usr/bin/passwd
chmod 640 /etc/pam.d/passwd
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2007-01-11 16:04:42 UTC 
Additional info from logs:

Jan 11 16:20:01 [cron] PAM unable to dlopen(/lib64/security/pam_tcb.so)
Jan 11 16:20:01 [cron] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbo
l: crypt_gensalt_ra]
Jan 11 16:20:01 [cron] PAM adding faulty module: /lib64/security/pam_tcb.so
Jan 11 16:20:01 [cron] Module is unknown
Jan 11 16:22:50 [su] PAM unable to dlopen(/lib64/security/pam_tcb.so)
Jan 11 16:22:50 [su] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbol:
 crypt_gensalt_ra]
Jan 11 16:22:50 [su] PAM adding faulty module: /lib64/security/pam_tcb.so
Jan 11 16:22:50 [su] pam_authenticate: Authentication failure
Jan 11 16:22:50 [su] FAILED su for root by *******
Jan 11 16:22:50 [su] unknown configuration item `USE_TCB'
Jan 11 16:30:01 [cron] PAM unable to dlopen(/lib64/security/pam_tcb.so)
Jan 11 16:30:01 [cron] PAM [dlerror: /lib64/security/pam_tcb.so: undefined symbo
l: crypt_gensalt_ra]
Jan 11 16:30:01 [cron] PAM adding faulty module: /lib64/security/pam_tcb.so
Jan 11 16:30:01 [cron] Module is unknown

This line may be not easy to spot but is important IMO, so I include it below again:

Jan 11 16:22:50 [su] unknown configuration item `USE_TCB'
Comment 2 Andrew Griffiths 2007-09-21 11:24:17 UTC 
Bump.

While experimenting with sys-apps/tcb this afternoon, I ran into the same problem with unresolved symbols (only difference being a 32-bit environment).

--
sshd[x]: PAM unable to dlopen(/lib/security/pam_tcb.so)
sshd[x]: PAM [dlerror: /lib/security/pam_tcb.so: undefined symbol: crypt_gensalt_ra]
sshd[x]: PAM adding faulty module: /lib/security/pam_tcb.so
--

If patches to glibc is required, they may be able to be borrowed from SuSE, as http://www.openwall.com/crypt/ says SuSE has crypt_blowfish support.
Comment 3 Andrew Griffiths 2007-09-21 23:05:18 UTC 
Created attachment 131566 [details]
Overlay portage that uses latest openwall tcb and links against libxcrypt

This is an overlay for TCB which uses the latest openwall TCB. It modifies pam_tcb.so to link against libxcrypt (which is masked, so needs to be unmasked. it should probably also be listed as a dependency..). 

It doesn't give unresolved symbols messages when loaded now. As for working.. well I need to do more testing (hopefully today).
Comment 4 Andrew Griffiths 2007-09-22 00:57:35 UTC 
After some testing and messing around with /etc/pam.d/system-auth, I have got tcb working reasonably correctly from what I can see.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-06-06 09:45:19 UTC 
tcb is now removed from tree. Please use hardened-shadow instead.