Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 161564 - sys-apps/shadow does not support tcb
Summary: sys-apps/shadow does not support tcb
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2007-01-11 15:37 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2012-06-06 09:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Overlay portage that uses latest openwall tcb and links against libxcrypt (tcb.tar.gz,2.48 KB, application/octet-stream)
2007-09-21 23:05 UTC, Andrew Griffiths

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2007-01-11 15:37:35 UTC
I tried to setup tcb shadow replacement on my system, but it looks like shadow version in portage does not support it.

The ebuild should apply the following patch:;content-type=text%2Fplain

It should also install files with following permissions (commands taken from man tcb_convert):
chown root:shadow /usr/bin/passwd /etc/pam.d/passwd
chmod 2711 /usr/bin/passwd
chmod 640 /etc/pam.d/passwd
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2007-01-11 16:04:42 UTC
Additional info from logs:

Jan 11 16:20:01 [cron] PAM unable to dlopen(/lib64/security/
Jan 11 16:20:01 [cron] PAM [dlerror: /lib64/security/ undefined symbo
l: crypt_gensalt_ra]
Jan 11 16:20:01 [cron] PAM adding faulty module: /lib64/security/
Jan 11 16:20:01 [cron] Module is unknown
Jan 11 16:22:50 [su] PAM unable to dlopen(/lib64/security/
Jan 11 16:22:50 [su] PAM [dlerror: /lib64/security/ undefined symbol:
Jan 11 16:22:50 [su] PAM adding faulty module: /lib64/security/
Jan 11 16:22:50 [su] pam_authenticate: Authentication failure
Jan 11 16:22:50 [su] FAILED su for root by *******
Jan 11 16:22:50 [su] unknown configuration item `USE_TCB'
Jan 11 16:30:01 [cron] PAM unable to dlopen(/lib64/security/
Jan 11 16:30:01 [cron] PAM [dlerror: /lib64/security/ undefined symbo
l: crypt_gensalt_ra]
Jan 11 16:30:01 [cron] PAM adding faulty module: /lib64/security/
Jan 11 16:30:01 [cron] Module is unknown

This line may be not easy to spot but is important IMO, so I include it below again:

Jan 11 16:22:50 [su] unknown configuration item `USE_TCB'
Comment 2 Andrew Griffiths 2007-09-21 11:24:17 UTC

While experimenting with sys-apps/tcb this afternoon, I ran into the same problem with unresolved symbols (only difference being a 32-bit environment).

sshd[x]: PAM unable to dlopen(/lib/security/
sshd[x]: PAM [dlerror: /lib/security/ undefined symbol: crypt_gensalt_ra]
sshd[x]: PAM adding faulty module: /lib/security/

If patches to glibc is required, they may be able to be borrowed from SuSE, as says SuSE has crypt_blowfish support.

Comment 3 Andrew Griffiths 2007-09-21 23:05:18 UTC
Created attachment 131566 [details]
Overlay portage that uses latest openwall tcb and links against libxcrypt

This is an overlay for TCB which uses the latest openwall TCB. It modifies to link against libxcrypt (which is masked, so needs to be unmasked. it should probably also be listed as a dependency..). 

It doesn't give unresolved symbols messages when loaded now. As for working.. well I need to do more testing (hopefully today).
Comment 4 Andrew Griffiths 2007-09-22 00:57:35 UTC
After some testing and messing around with /etc/pam.d/system-auth, I have got tcb working reasonably correctly from what I can see. 

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-06-06 09:45:19 UTC
tcb is now removed from tree. Please use hardened-shadow instead.