Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210111153921.GA14736@openwall.com>
Date: Mon, 11 Jan 2021 16:39:21 +0100
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] tcb 1.2

Hi,

After 10 years since the previous release, we've just released version
1.2 of tcb, the alternative password shadowing scheme we had introduced
in Owl.  tcb is currently in use in ALT Linux distributions and Mageia.

https://www.openwall.com/tcb/

The tcb package consists of three components: pam_tcb, libnss_tcb, and
libtcb.  pam_tcb is a PAM module which supersedes pam_unix.  It also
implements the tcb password shadowing scheme.  The tcb scheme allows
many core system utilities (passwd(1) being the primary example) to
operate with lower privileges.  libnss_tcb is the accompanying NSS
module.  libtcb contains code shared by the PAM and NSS modules, and is
also to be used by user management tools.

Due to the password hashing API we had introduced in Owl having been
recently adopted by libxcrypt, you no longer need our crypt_blowfish
patched into glibc to compile and use our tcb.  You can instead use
libxcrypt, which e.g. Fedora already does.

Changes in tcb 1.2 include libxcrypt and recent glibc support, i18n
support, and dropping of NIS/NIS+ support (which we consider obsolete).
These were implemented mostly by Dmitry V. Levin originally for ALT
Linux.  The full change log since tcb 1.1 follows:

2021-01-11  Solar Designer  <solar at owl.openwall.com>

	* tcb.spec: 1.2.
	* LICENSE: Update copyright years for Dmitry's recent contributions.

2020-07-16  Dmitry V. Levin  <ldv at owl.openwall.com>

	tcb_chkpwd: remove the last remaining piece of NIS+ support.
	* progs/tcb_chkpwd.c (unix_verify_password): Remove special handling
	of NIS+ password entries.

	tcb_unconvert: print error diagnostics if the final chown fails.
	* progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely
	case of an error returned by the final chown invocation.  This does
	not affect the exit status of tcb_unconvert, though, since the final
	chown does not affect the result of conversion.

2020-07-15  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: fix harmless -Wmissing-field-initializers compilation warning.
	* pam_tcb/support.c (fake_pw): Explicitly initialize remaining members
	of struct passwd with zero.

	pam_tcb: fix harmless -Wpointer-sign compilation warnings.
	* pam_tcb/support.h (struct pam_unix_params): Change the type of
	"crypt_prefix" and "helper" fields from "const unsigned char *"
	to "const char *".

2018-07-07  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier
	to OpenBSD.
	This does not affect builds with libxcrypt >= 4.1.0 that provides
	CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro.
	* pam_tcb/support.c (_set_ctrl)
	[!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$"
	with "$2b$".
	* pam_tcb/pam_tcb.8 (prefix): Likewise.

2018-06-26  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: request automatic prefix if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "prefix" argument to crypt_gensalt_ra function will cause it
	to select the best available hash function.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (_set_ctrl)
	[CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When
	pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb
	default value.
	* pam_tcb/pam_tcb.8: Document this.

	pam_tcb: request automatic entropy if libcrypt implements it.
	In libxcrypt, starting with version 4.0.0, supplying a null pointer
	as the "rbytes" argument to crypt_gensalt_ra function will cause it
	to acquire random bytes from the operating system.
	Starting with version 4.1.0, libxcrypt provides
	CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability
	of this feature at build time.
	* pam_tcb/support.c (do_crypt)
	[CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra
	with null "rbytes" and zero "nrbytes" arguments.

2018-06-19  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: sync password expiration messages with Linux-PAM-1.4.0.
	* pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros.
	(MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE):
	Update messages.
	(MESSAGE_WARN_EXPIRE): Add count argument, update messages.
	* pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace
	MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of
	MESSAGE_WARN_EXPIRE.

2018-05-31  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: use pam_get_authtok(3) instead of _unix_read_password.
	This follows the change in pam_unix implemented in Linux-PAM
	commit Linux-PAM-1.3.0~5.
	pam_get_authtok(3) is available in OpenPAM since 2002-04-08
	and in Linux-PAM since 2008-12-03.
	As pam_get_authtok(3) does not support not_set_pass option,
	the support for this not much useful option is dropped.
	Instead pam_tcb gets a proper support for authtok_type= option.
	* pam_tcb/pam_tcb.8 (not_set_pass): Remove.
	(authtok_type): New option.
	* pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro.
	(pam_sm_authenticate): Use pam_get_authtok instead of
	_unix_read_password.
	* pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK):
	Remove unused macros.
	(do_setpass): Remove "fromwhat" argument.
	(unix_prelim): Use pam_get_authtok instead of _unix_read_password.
	(pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support.
	* pam_tcb/support.c (data_cleanup, _unix_read_password): Remove
	unused functions.
	(unix_bools): Replace "not_set_pass" with "use_first_pass" and
	"try_first_pass".
	(parse_opt): Remove manual handling of "use_first_pass" and
	"try_first_pass".
	(_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in
	the_cmdline_opts.  Remove manual handling of "authtok_usage=".
	* pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS,
	UNIX_AUTHTOK_TYPE): New enum constants.
	(PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2,
	MESSAGE_MISTYPED): Remove unused macros.
	(UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused
	enum constants.
	(struct pam_unix_params): Remove unused authtok_usage field.
	(_unix_read_password): Remove unused prototype.

2018-05-22  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: drop obsolete NIS/NIS+ support.
	The GNU C library, starting with version 2.26, deprecated libnsl.
	As result, pam_tcb no longer builds with modern versions of glibc
	configured without --enable-obsolete-nsl option.
	While glibc recommends to use replacement implementations based on
	TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether.
	* pam_tcb/yppasswd.h: Remove.
	* pam_tcb/yppasswd_xdr.c: Likewise.
	* pam_tcb/Makefile: Do not link with -lnsl.
	(LIBSRC): Remove yppasswd_xdr.c.
	* pam_tcb/pam_tcb.8: Remove references to NIS+.
	* pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support.
	* pam_tcb/support.c: Likewise.
	* pam_tcb/support.h: Likewise.
	* progs/tcb_convert.8: Remove references to nis and nisplus.

2012-05-24  Dmitry V. Levin  <ldv at owl.openwall.com>

	pam_tcb: Implement i18n support.
	Linux-PAM starting with release 0.81 implements i18n support using
	gettext.  This change extends i18n support to pam_tcb.
	The i18n support is not enabled by default, define both ENABLE_NLS and
	NLS_PACKAGE macros to enable it.  When NLS_PACKAGE macro is defined to
	"Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM.
	* pam_tcb/support.h: Mark all messages for translation.  Pass through
	dgettext all messages marked for translation when both ENABLE_NLS and
	NLS_PACKAGE macros are defined.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.