configuring gentoo to use openwall tcb

Configuring Gentoo to use Openwall TCB authentication

(added 22/9/2007)

Openwall's TCB can be used as an alternative to the shadow authentication system (via /etc/shadow).

Using this method has several advantages over shadow, such as:

No requirement of set-user-id programs to change authentication information. TCB only requires set-gid progams to change the authentication information, and a compromise in the passwd program would only allow someone to intefere with their own shadow entry.
Stronger password hashing than md5 is available. (Overview here).
More information about the design and benefits of TCB are listed here.

To use TCB under Gentoo, the packages libxcrypt and tcb need to be emerged. However, at the moment, the package tcb needs an overlay digest file to link correctly. After quickly hacking one together, I added it to an existing gentoo bug report.

With that portage overlay setup correctly, it can be emerged.

After emerging:

The command tcb_convert needs to be ran to convert the existing /etc/shadow entries to /etc/tcb/ entries.
/etc/pam.d/system-auth needs to be modified
Testing needs to be performed :)

After messing around with /etc/pam.d/system-auth, it ended up looking like

auth       required     pam_env.so
#auth       sufficient  pam_unix.so likeauth nullok
auth       sufficient   pam_tcb.so likeauth nullok shadow  md5
auth       required     pam_deny.so

#account    required    pam_unix.so
account    required     pam_tcb.so shadow

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
retry=3
#password   sufficient  pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_tcb.so write_to=tcb nullok md5 shadow
password   required     pam_deny.so

session    required     pam_limits.so
#session    required    pam_unix.so
session    required     pam_tcb.so

The above mentioned md5 sections probably need to be changed around a little bit, so that the blowfish password hashing is performed.

In addition to that, /etc/nsswitch.conf was required to be modified. I changed the shadow line so that it looked like:

shadow:      tcb compat

Whilst experimenting, it seems the permissions on /etc/tcb got messed up, and needed to be rest. From looking at the filesystem slide this was easily done.

After all these was followed, /etc/shadow was moved to /etc/shadow1. It was possible to log in via ssh, and could change passwords.

Afterwards everything was working as expected, /bin/passwd required some modification. chown root:shadow /bin/passwd; chmod u-s /bin/passwd; chmod g+s /bin/passwd did the trick :)

More information about setting up TCB and the things that need to be changed / tested can be found here.

If you would like to link to this article, please use the below URL, or HTML source code.

http://felinemenace.org/~andrewg/configuring_gentoo_to_use_openwall_tcb/

<a href="http://felinemenace.org/~andrewg/configuring_gentoo_to_use_openwall_tcb/">Configuring Gentoo to use Openwall TCB authentication</a>

If "Configuring Gentoo to use Openwall TCB authentication" sounds stupid, please substitute this for something better :)