Re: Linux-PAM and Bekkeley DB
Wayne Blaszczyk wrote: On 30/10/11 09:43, Jeremy Huntwork wrote: On Oct 29, 2011, at 5:52 PM, Wayne Blaszczyk wrote: The Linux-PAM build fails for me, most likely due to the Bekkeley DB upgrade to 5.2.26. I get the following error: .libs/pam_userdb.o: In function `user_lookup': /sources/Linux-PAM-1.1.3/modules/pam_userdb/pam_userdb.c:159: undefined reference to `__db_ndbm_open' Try building db with --enable-dbm. Thanks, that worked. As mentioned by DJ in the previous post, I think this should be included in the standard build. I don't generally use PAM, so I don't mind any changes to it. I'm curious though. What do others get from PAM? I don't see any advantages over plain shadow for a direct terminal or ssh login unless you have a lot of different users trying to login and you are trying to control that via ldap. For me where there are only a very few users, e.g. 3 on a server, PAM just gets in the way. I feel the same way about tcpwrappers and xinetd. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM and Bekkeley DB
On Sun, 30 Oct 2011 12:02:53 -0500 Bruce Dubbs bruce.du...@gmail.com wrote: Wayne Blaszczyk wrote: On 30/10/11 09:43, Jeremy Huntwork wrote: Try building db with --enable-dbm. Thanks, that worked. As mentioned by DJ in the previous post, I think this should be included in the standard build. I don't generally use PAM, so I don't mind any changes to it. I think Wayne was actually suggesting a change to the way berkeley-db is installed I'm curious though. What do others get from PAM? Personally I install PAM so I can use pam_faildelay.so with ssh to set an arbitrary amount of time between login attempts. Brute force attacks are not practical if the script has to wait 2 minutes for each password it tries. Andy -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM and Bekkeley DB
I don't generally use PAM, so I don't mind any changes to it. I'm curious though. What do others get from PAM? I don't see any advantages over plain shadow for a direct terminal or ssh login unless you have a lot of different users trying to login and you are trying to control that via ldap. For me where there are only a very few users, e.g. 3 on a server, PAM just gets in the way. I feel the same way about tcpwrappers and xinetd. -- Bruce I only install it due to some required dependency, gnome-screensaver I think. If it wasn't for that, I wouldn't install it myself either. Wayne. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM and Bekkeley DB
On 10/30/2011 12:02 PM, Bruce Dubbs wrote: Wayne Blaszczyk wrote: On 30/10/11 09:43, Jeremy Huntwork wrote: On Oct 29, 2011, at 5:52 PM, Wayne Blaszczyk wrote: The Linux-PAM build fails for me, most likely due to the Bekkeley DB upgrade to 5.2.26. I get the following error: .libs/pam_userdb.o: In function `user_lookup': /sources/Linux-PAM-1.1.3/modules/pam_userdb/pam_userdb.c:159: undefined reference to `__db_ndbm_open' Try building db with --enable-dbm. Thanks, that worked. As mentioned by DJ in the previous post, I think this should be included in the standard build. I don't generally use PAM, so I don't mind any changes to it. I'm curious though. What do others get from PAM? I don't see any advantages over plain shadow for a direct terminal or ssh login unless you have a lot of different users trying to login and you are trying to control that via ldap. For me where there are only a very few users, e.g. 3 on a server, PAM just gets in the way. I feel the same way about tcpwrappers and xinetd. -- Bruce Were you wanting to remove it from the book? -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM and Bekkeley DB
DJ Lucas wrote: On 10/30/2011 12:02 PM, Bruce Dubbs wrote: Wayne Blaszczyk wrote: On 30/10/11 09:43, Jeremy Huntwork wrote: On Oct 29, 2011, at 5:52 PM, Wayne Blaszczyk wrote: The Linux-PAM build fails for me, most likely due to the Bekkeley DB upgrade to 5.2.26. I get the following error: .libs/pam_userdb.o: In function `user_lookup': /sources/Linux-PAM-1.1.3/modules/pam_userdb/pam_userdb.c:159: undefined reference to `__db_ndbm_open' Try building db with --enable-dbm. Thanks, that worked. As mentioned by DJ in the previous post, I think this should be included in the standard build. I don't generally use PAM, so I don't mind any changes to it. I'm curious though. What do others get from PAM? I don't see any advantages over plain shadow for a direct terminal or ssh login unless you have a lot of different users trying to login and you are trying to control that via ldap. For me where there are only a very few users, e.g. 3 on a server, PAM just gets in the way. I feel the same way about tcpwrappers and xinetd. Were you wanting to remove it from the book? No. I can see where all those could be useful to some users. I was just stating an opinion about when those packages are useful. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM and Bekkeley DB
On 30/10/11 09:43, Jeremy Huntwork wrote: On Oct 29, 2011, at 5:52 PM, Wayne Blaszczyk wrote: The Linux-PAM build fails for me, most likely due to the Bekkeley DB upgrade to 5.2.26. I get the following error: .libs/pam_userdb.o: In function `user_lookup': /sources/Linux-PAM-1.1.3/modules/pam_userdb/pam_userdb.c:159: undefined reference to `__db_ndbm_open' Try building db with --enable-dbm. JH Thanks, that worked. As mentioned by DJ in the previous post, I think this should be included in the standard build. Regards, Wayne. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux PAM
Bruce Dubbs wrote: When reviewing the instructions for PAM, I see we are moving the libraries from /lib to /usr/lib. Why? Surely we need the PAM libraries to be available if /usr is not mounted. Look closer. The libraries required for PAM are not moved. What are moved are the .so and .la files. All the instructions are clearly documented in the Command Explanations section. -- Randy -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux PAM
Randy McMurchy wrote: Bruce Dubbs wrote: When reviewing the instructions for PAM, I see we are moving the libraries from /lib to /usr/lib. Why? Surely we need the PAM libraries to be available if /usr is not mounted. Look closer. The libraries required for PAM are not moved. What are moved are the .so and .la files. All the instructions are clearly documented in the Command Explanations section. Ahh, yes. Thanks for the cluebat. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM include system-auth
Message: 1 Date: Thu, 26 Feb 2009 12:41:43 -0600 From: Randy McMurchy ra...@linuxfromscratch.org Subject: Linux-PAM include system-auth To: BLFS Development List blfs-dev@linuxfromscratch.org Message-ID: 49a6e267.3030...@linuxfromscratch.org Content-Type: text/plain; charset=ISO-8859-1 Hi all, I thought I had the include syntax down for the Linux-PAM conf files, but I'm still a bit lost. More and more I'm seeing (this from an installed file from the PolicyKit package): auth include system-auth accountinclude system-auth password include system-auth sessioninclude system-auth I don't have a problem understanding what they're doing, but I'm not certain how to create, and what to put in the system-auth file. I can't find a good example anywhere. A bit more of my lack of knowledge appears here: http://wiki.linuxfromscratch.org/blfs/ticket/2805 Any help would be appreciated. My only guess is this refers to /etc/pam.d/other which is pams default file if a service isn't listed in its usual /etc/pam.d/servicename file, so perhaps its an attempt to create default setup for LFS in case a user installs pam but doesn't bother with any additional configuration? I'm assuming that no patch has been applied to pam to make it look for a file called 'defaults' rather than 'other'. Btw, I only pick up the digest for blfs, so if I seem to go silent, I'm not ignoring anybody. Regards Phill -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM include system-auth
On Thu, Feb 26, 2009 at 10:41 AM, Randy McMurchy ra...@linuxfromscratch.org wrote: Hi all, I thought I had the include syntax down for the Linux-PAM conf files, but I'm still a bit lost. More and more I'm seeing (this from an installed file from the PolicyKit package): auth include system-auth account include system-auth password include system-auth session include system-auth I don't have a problem understanding what they're doing, but I'm not certain how to create, and what to put in the system-auth file. I can't find a good example anywhere. A bit more of my lack of knowledge appears here: http://wiki.linuxfromscratch.org/blfs/ticket/2805 I think (and I'm almost 100% sure) that DJ was referring to the same concept, but calling it default instead of system-auth. Here's what fedora's looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so and here's paldo's much simpler version for reference: http://paldo.org/paldo/sources/Linux-PAM/pam-system-auth-20060303 The way it works is that when your service does: auth include system-auth session include system-auth it pulls the auth section from system-auth for the auth phase. Then it pulls the session section from system-auth for the session phase. The system-auth name is (I believe) a holdover from the early days of the pam include implementation where an included file could only contain a certain authorization phase (probably bungling terms at this point). So, DJ's pam.d/default is probably more correct, but pam.d/system-auth allows you to fit in with the world more easily. The idea is that there are common modules you always want to run, such as pam_unix.so. It also allows you to establish your cracklib password defaults in one location, if you'd like. You can always augment your service with other things. session include system-auth session optional pam_console.so -- Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM include system-auth
Dan Nicholson wrote these words on 02/27/09 09:08 CST: [again snip all of Dan's fine words] Thanks for the help, Dan. This clears it up a bunch for me. -- Randy rmlscsi: [bogomips 1003.24] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3] [GNU C Library stable release version 2.3.6] [Linux 2.6.14.3 i686] 09:38:01 up 20 days, 2:01, 1 user, load average: 0.36, 0.08, 0.03 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux PAM/Shadow
Randy McMurchy wrote: Hi all, I'll try and be as concise as possible and get right to the point. The new version of Linux-PAM (see a previous post) has an issue with Shadow. Brief description: PAM installs libraries in /lib (which it should), including .la files. This is new to PAM (it uses libtool and auto* a bit heavier now). These .la files are moved to /usr/lib (as always is done in LFS and BLFS). Hardcoded in these .la files is libdir='lib'. This apparently causes some problems when you then recompile Shadow. Shadow claims the .la files have been moved and aborts the build with an error (during the 'make'). Here are possible solutions. I'm looking for opinions as to what would be best. 1. Delete the .la files and everything is fine. Best as I can tell, .la files aren't really necessary. 2. Do a simple sed on the .la files and change the 'lib' to '/usr/lib' and everything is fine. 3. Currently the default for PAM is installation of libraries in /lib and the modules in /lib/security. We could pass 'libdir=/usr/lib' *and* 'securedir=/lib/security' to configure, then move the .so.0.81.1 and .so.0 files from /usr/lib to /lib and everything would be fine. I think #2 or #3 are both reasonable as, from your description, they do the same thing. Is this something that should be addressed upstream? -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux PAM/Shadow
Tushar Teredesai wrote these words on 11/28/05 17:46 CST: #3 is the correct soultion (how we normally do for all other packages). Agreed, and how I'm going to do my next round of testing. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 17:50:01 up 65 days, 3:14, 3 users, load average: 0.08, 0.09, 0.17 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM man pages
On Thu, 2005-03-17 at 19:17 -0600, Randy McMurchy wrote: I'm noticing that Linux-PAM is installing some man (8) pages in the root of the filesystem. It's happened on several systems I've recently installed, and I see it happened on Anduin. If someone else can confirm this, I'll change the book to move the installed pages from /man/man8/ to where they belong in /usr/share/man/man8. I can confirm this as well on several systems. I say put the instructions in to work around. It is strange that most of the man pages get placed in the correct place, but not those few. Gabe signature.asc Description: This is a digitally signed message part -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM man pages
Randy McMurchy wrote: Hi all, I'm noticing that Linux-PAM is installing some man (8) pages in the root of the filesystem. It's happened on several systems I've recently installed, and I see it happened on Anduin. If someone else can confirm this, I'll change the book to move the installed pages from /man/man8/ to where they belong in /usr/share/man/man8. What is so weird is that some of the man (8) pages installed by Linux-PAM are in the proper place, but somehow 3 pages are installed in the root of the filesystem. Confirmed. Looks like we can do a sed to fix it though. I don't really have the time right now, but I took a quick peek anyway. The only place where this could be coming from is mandir=$PREFIX/man. Using 'mandir' instead of 'MANDIR'. Only place I can see this coming from is in modules/Simple.Rules. That looks to be the culpret. I'll look more when I get back tonight if you don't get it first. Thanks. -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM
Randy McMurchy wrote: Funny how some things work out. The BLFS book was just recently changed to make cracklib a required dependency of Linux-PAM. I didn't think too much about it. However, tonight I screwed up and forgot to install cracklib before installing Linux-PAM. And PAM installed just fine. The configure log shows it looked for fascistcheck and didn't find it and just plowed along. Everything installed just fine. I'll BZ this unless someone has information to the contrary. Why don't you just change it to a recommended dependency? -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM nitpicks
Jack Brown wrote: Here's how I look at it: You go to compile something, it decides that it want's libm and starts off looking at /usr/lib to see what it can find. It comes across a file /usr/lib/libm.so which is linked to a file called /lib/libm.so.6. based on this it tells the linker to link the resulting binary to a file named /lib/libm.so.6. When you run the program it sees that it need to load up the file /lib/libm.so.6 and in doing so ends up following the symlink and ends up actually loading /lib/libm.2.3.4.so in the process. One small correction, Actually it tells the linker to hardcode libm.so.6 without the full path (whoops). Then it looks for libm.so.6 starting in /usr/lib, then in /lib. (and then I guess it starts searching through /etc/ld.so.cache for libs that are in directories specified in /etc/ld.so.conf, assuming ldconfig has been run since they were installed) Jack Brown -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM nitpicks
Randy McMurchy wrote: Bruce Dubbs wrote these words on 02/22/05 11:23 CST: I read the thread that Jack gave and Gerard wants to keep the links in both places: /usr/lib because they are needed and /lib for consistency. After all, this is primarily an LFS issue and only marginally a BLFS issue. Additionally, I suspect they are needed on /lib in the case that ld.so.cache becomes unavailable for some reason. Well, then, I suppose the LFS gang needs to all get on the same page. The Readline and Shadow instructions don't agree with what you say above. As I look at LFS 6.0, I see: mv /usr/lib/lib{shadow,misc}.so.0* /lib ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so and mv /usr/lib/lib{readline,history}.so.5* /lib ln -sf ../../lib/libhistory.so.5 /usr/lib/libhistory.so ln -sf ../../lib/libreadline.so.5 /usr/lib/libreadline.so Which seems consistent to me. Furthermore, here's the million dollar question: When we update BLFS to go to Shadow-4.0.7, do we install it as LFS does, or do we install it differently (include the .so symlink in /lib)? Looking at LFS and BLFS, I believe the instructions are consistent now. Of course we are adding PAM, so there is some difference. Do you see an issue that I don't? I do see a minor issue that is related. The lines: mv /bin/sg /usr/bin mv /bin/vigr /usr/sbin mv /usr/bin/passwd /bin rm /bin/groups ./configure --libdir=/usr/lib still installs programs in /bin it appears. We don't have explainations for these commands. Also, does it install passwd in /usr/bin? Seems inconsistent. To me, however the Shadow instructions are done in BLFS, the PAM instructions should match. Match or be consistent? As I said, I think we are consistent now. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM nitpicks
Pardon my jumping in here but all of this discussion about PAM reminded me of an issue from a while back regarding segmentation faults with PAM/Shadow/Cracklib (as seen in the threads linked to below). Someone on IRC was having the same sort of issues just yesterday. Has this matter been solved? http://archives.linuxfromscratch.org/mail-archives/blfs-support/2004-August/051475.html http://archives.linuxfromscratch.org/mail-archives/blfs-dev/2005-January/008987.html Mike -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM nitpicks
Gerard Beekmans [EMAIL PROTECTED] wrote in news:[EMAIL PROTECTED]: On February 22, 2005 01:18 pm, Randy McMurchy wrote: See the difference? There are no .so files in /lib for Readline and Shadow. There is for PAM. This is what I've been trying to say all along. Additionally, the PAM .so files are in *both* directories. They are not for Readline and Shadow. Let me jump in here also and bring up the thread that Jack pointed out. That thread dated from February 2002, three years ago now. It's a little dated in that things have changed since. The *.so files go in /usr/lib only, not in both /lib and /usr/lib. The *.so.* files (add the major versoin number to it) might go in /lib if they are required before /usr is mounted or should be available in case of /usr partition corruption per standard conventions. PAM has /lib/libpam.so files which don't belong in /lib. These are compile-time and link-time libraries only. There's no need for them to be in /lib. The runtime libraries are libpam.so.version (libpam.so.0 in this case) and do belong in /lib. hmm... [EMAIL PROTECTED] /1]$ ldd /bin/sleep linux-gate.so.1 = (0xe000) libm.so.6 = /lib/libm.so.6 (0xb7fc5000) librt.so.1 = /lib/librt.so.1 (0xb7fbd000) libc.so.6 = /lib/libc.so.6 (0xb7eaf000) /lib/ld-linux.so.2 (0xb7fec000) libpthread.so.0 = /lib/libpthread.so.0 (0xb7e9d000) [EMAIL PROTECTED] /]$ ls -l /lib/libm* -rwxr-xr-x 1 root root 146040 Feb 11 20:48 /lib/libm-2.3.4.so lrwxrwxrwx 1 root root 13 Feb 11 22:14 /lib/libm.so.6 - libm-2.3.4.so -rwxr-xr-x 1 root root 13724 Feb 11 20:48 /lib/libmemusage.so [EMAIL PROTECTED] /]$ file /lib/libm-2.3.4.so /lib/libm-2.3.4.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped How does that gel with the paragraphs above? libm-2.3.4.so is the actual runtime library, not only the compile\linking library... -- - Steve Crosby -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Linux-PAM nitpicks
Steve Crosby wrote these words on 02/22/05 19:56 CST: How does that gel with the paragraphs above? libm-2.3.4.so is the actual runtime library, not only the compile\linking library... Though I'm not certain Gerard was just talking about symlinks named *.so, I was. The whole point of this discussion was what to do with *symlinks* named *.so. -- Randy rmlinux: [GNU ld version 2.15.91.0.2 20040727] [gcc (GCC) 3.4.1] [GNU C Library 2004-07-01 release version 2.3.4] [Linux 2.6.8.1 i686] 20:06:00 up 17 days, 3:55, 8 users, load average: 0.86, 0.54, 0.20 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page