[linux-pam] #46: Fix build with musl libc
by fedora-badges
#46: Fix build with musl libc
----------------------+------------------------------
Reporter: yousong | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: | Keywords:
Blocked By: | Blocking:
----------------------+------------------------------
Hi, patch files in the attachments are produced when building libpam
within OpenWrt. Not long ago, OpenWrt switched to musl as the default
libc which is relatively and different from other implementations, e.g.
crypt() function is part of musl-libc itself, many old functions are
dropped from the implementation, etc.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/46>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years
Raise salt length for the sha2 password hashes
by Tomas Mraz
Hello,
currently pam_unix hardcodes the new salt length when password is
changed to be 8 characters - this makes it due to the limitation to 64
only possible characters to be 48 bits long. This is slightly lower than
can be considered as long enough for any paranoid. I propose to make it
12 characters which should satisfy any paranoid person as rainbow tables
of 2^72 hashes for each tested password can hardly be created in the
foreseeable future.
Or do you think that the current salt length should be sufficient and
stay as is?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 3 months
pam_loginuid: add syslog message if required auditd not detected
by Tomas Mraz
The following patch adds syslog message to pam_loginuid to log if the
required auditd is not detected. It is currently not easy for sysadmin
to find out what caused the PAM failure if the required_auditd option is
used and auditd is not running. OK to commit?
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
index 73c42f9..9a1589e 100644
--- a/modules/pam_loginuid/pam_loginuid.c
+++ b/modules/pam_loginuid/pam_loginuid.c
@@ -234,6 +234,8 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
if (require_auditd) {
int rc = check_auditd();
+ if (rc != PAM_SUCCESS)
+ pam_syslog(pamh, LOG_ERR, "required running auditd not detected");
return rc != PAM_SUCCESS ? rc : ret;
} else
#endif
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 7 months
PAM 2man Authentication Module
by Thompson, Michael L.
Hello All,
This is a friendly announcement of an open source project you may be
interested in. As part of a summer student project in reaction to the
recent insider threat trend, a student developed a proof of concept
module for PAM to do 2 person authentication.
This plugin is not meant for production use, nor are we making any kind
of statement about whether or not we think 2 person authentication on a
linux system makes sense or is a good idea, but the plugin works and so
we thought we would release it to the community and anyone can do with
it what they will.
Code is hosted on github here:
https://github.com/Argonne-National-Laboratory/Pam-2man-Auth/
Its been tested mostly on Debian derivatives, but should work anywhere.
Feel free to respond with any questions, concerns, etc.
Best,
--
Mike Thompson
Cybersecurity Analyst
Cyber Operations, Analysis, and Research
Argonne National Laboratory
http://coar.risc.anl.gov/
8 years, 7 months
[linux-pam] #45: Premature thread wake up on successful pam_authenticate call
by fedora-badges
#45: Premature thread wake up on successful pam_authenticate call
---------------------+------------------------------
Reporter: igleyy | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
For given example code, thread which should sleep for given period of time
is prematurely woken up upon successful pam_authenticate call.
Environment:[[BR]]
Linux Mint 16[[BR]]
libpamc.so.0.82.1[[BR]]
libpam_misc.so.0.82.0[[BR]]
libpam.so.0.83.0[[BR]]
g++ (Ubuntu/Linaro 4.8.1-10ubuntu9) 4.8.1[[BR]]
Code:
{{{
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pthread.h>
#include <iostream>
static struct pam_conv conv = {
misc_conv,
NULL
};
void* thread_func(void* foo) {
int i = 0;
std::cout << "Start thread func stuff " << i++ << std::endl;
while (1) {
std::cout << "Thread func stuff " << i++ << std::endl;
sleep(1000000);
}
}
int main ()
{
pthread_t th;
int th_ret;
th_ret = pthread_create( &th, NULL, thread_func, (void*) NULL);
if (th_ret) {
std::cout << "pthread_create failed: " << th_ret << std::endl;
exit(1);
}
pam_handle_t* pamh;
struct pam_conv pamc;
/* Set up the PAM conversation. */
pamc.conv = &misc_conv;
pamc.appdata_ptr = NULL;
/* Start a new authentication session. */
pam_start ("passwd", "myusername", &pamc, &pamh);
/* Authenticate the user. */
if (pam_authenticate (pamh, 0) != PAM_SUCCESS)
std::cout << "Authentication failed!" << std::endl;
else
std::cout << "Authentication OK" << std::endl;
/* All done. */
pam_end (pamh, 0);
while(1) {} /* Prevent application finish. */
return 0;
}
}}}
Compiled with
{{{
g++ -g pamexample.c -pthread -lpam -lpam_misc
}}}
For my local user and correct password I get following output:
{{{
./a.out
Start thread func stuff 0
Thread func stuff 1
Password:
Thread func stuff 2
Thread func stuff 3
Thread func stuff 4
Thread func stuff 5
Thread func stuff 6
Authentication OK
}}}
For unsuccessful pam_authenticate calls output is correct. Output for
given example is correct on SLES 11.3, Ubuntu 14.04. Please let me know if
you need more information.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/45>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 7 months
Allow links to be used instead of w3m for documentation regeneration
by Tomas Mraz
The following patch allows this. OK to commit?
diff --git a/configure.ac b/configure.ac
index 08e4530..f33b959 100644
--- a/configure.ac
+++ b/configure.ac
@@ -568,7 +568,12 @@ AC_PATH_PROG([BROWSER], [w3m])
if test ! -z "$BROWSER"; then
BROWSER="$BROWSER -T text/html -dump"
else
- enable_docu=no
+ AC_PATH_PROG([BROWSER], [links])
+ if test ! -z "$BROWSER"; then
+ BROWSER="$BROWSER -no-numbering -no-references -dump"
+ else
+ enable_docu=no
+ fi
fi
AC_PATH_PROG([FO2PDF], [fop])
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 7 months
[linux-pam] #51: Misprint in pam_misc_setenv.3.xml
by fedora-badges
#51: Misprint in pam_misc_setenv.3.xml
-------------------------+------------------------------
Reporter: ymyasoedov | Owner: pam-developers@…
Type: defect | Status: new
Priority: trivial | Component: documentation
Version: 1.2.x | Keywords: man
Blocked By: | Blocking:
-------------------------+------------------------------
Missing space after "int" (27 line in `doc/man/pam_misc_setenv.3.xml`):
{{{
<paramdef>int<parameter>readonly</parameter></paramdef>
}}}
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/51>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 7 months
[linux-pam] #50: quieter pam_succeed_if when user unknown
by fedora-badges
#50: quieter pam_succeed_if when user unknown
--------------------------+------------------------------
Reporter: tomgreen66 | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
'''ENHANCEMENT'''
It seems if a user is unknown by pam_succeed_if it will report even in
quiet mode:
{{{
pam_succeed_if(sshd:auth): error retrieving information about user <user>
}}}
There was a patch submitted via a mailing list here:
[https://www.redhat.com/archives/pam-list/2009-December/msg00011.html]
which seemed to fit this purpose - not sure whether it was ever officially
submitted and rejected or it was just lost.
I tend to get this message being flagged by monitoring systems and rather
than filter it out I feel its better quiet did what is expected.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/50>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 7 months