|
This is the change log for our tcb suite implementing the alternative password shadowing scheme on Owl.
2021-01-11 Solar Designer <solar at owl.openwall.com> * tcb.spec: 1.2. * LICENSE: Update copyright years for Dmitry's recent contributions. 2020-07-16 Dmitry V. Levin <ldv at owl.openwall.com> tcb_chkpwd: remove the last remaining piece of NIS+ support. * progs/tcb_chkpwd.c (unix_verify_password): Remove special handling of NIS+ password entries. tcb_unconvert: print error diagnostics if the final chown fails. * progs/tcb_unconvert.c (main): Print error diagnostics in an unlikely case of an error returned by the final chown invocation. This does not affect the exit status of tcb_unconvert, though, since the final chown does not affect the result of conversion. 2020-07-15 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: fix harmless -Wmissing-field-initializers compilation warning. * pam_tcb/support.c (fake_pw): Explicitly initialize remaining members of struct passwd with zero. pam_tcb: fix harmless -Wpointer-sign compilation warnings. * pam_tcb/support.h (struct pam_unix_params): Change the type of "crypt_prefix" and "helper" fields from "const unsigned char *" to "const char *". 2018-07-07 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: change the default prefix from $2y$ to $2b$ to be friendlier to OpenBSD. This does not affect builds with libxcrypt >= 4.1.0 that provides CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX feature test macro. * pam_tcb/support.c (_set_ctrl) [!CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: Replace "$2y$" with "$2b$". * pam_tcb/pam_tcb.8 (prefix): Likewise. 2018-06-26 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: request automatic prefix if libcrypt implements it. In libxcrypt, starting with version 4.0.0, supplying a null pointer as the "prefix" argument to crypt_gensalt_ra function will cause it to select the best available hash function. Starting with version 4.1.0, libxcrypt provides CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX macro to test the availability of this feature at build time. * pam_tcb/support.c (_set_ctrl) [CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX]: When pam_unix_param.crypt_prefix is NULL, do not reset it to the pam_tcb default value. * pam_tcb/pam_tcb.8: Document this. pam_tcb: request automatic entropy if libcrypt implements it. In libxcrypt, starting with version 4.0.0, supplying a null pointer as the "rbytes" argument to crypt_gensalt_ra function will cause it to acquire random bytes from the operating system. Starting with version 4.1.0, libxcrypt provides CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY macro to test the availability of this feature at build time. * pam_tcb/support.c (do_crypt) [CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY]: Invoke crypt_gensalt_ra with null "rbytes" and zero "nrbytes" arguments. 2018-06-19 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: sync password expiration messages with Linux-PAM-1.4.0. * pam_tcb/support.h (P3_, MESSAGE_PASS_ENFORCED): New macros. (MESSAGE_PASS_EXPIRED, MESSAGE_PASS_SAME, MESSAGE_PASS_NONE): Update messages. (MESSAGE_WARN_EXPIRE): Add count argument, update messages. * pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Replace MESSAGE_PASS_EXPIRED with MESSAGE_PASS_ENFORCED, update use of MESSAGE_WARN_EXPIRE. 2018-05-31 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: use pam_get_authtok(3) instead of _unix_read_password. This follows the change in pam_unix implemented in Linux-PAM commit Linux-PAM-1.3.0~5. pam_get_authtok(3) is available in OpenPAM since 2002-04-08 and in Linux-PAM since 2008-12-03. As pam_get_authtok(3) does not support not_set_pass option, the support for this not much useful option is dropped. Instead pam_tcb gets a proper support for authtok_type= option. * pam_tcb/pam_tcb.8 (not_set_pass): Remove. (authtok_type): New option. * pam_tcb/pam_unix_auth.c (DATA_AUTHTOK): Remove unused macro. (pam_sm_authenticate): Use pam_get_authtok instead of _unix_read_password. * pam_tcb/pam_unix_passwd.c (DATA_OLD_AUTHTOK, DATA_NEW_AUTHTOK): Remove unused macros. (do_setpass): Remove "fromwhat" argument. (unix_prelim): Use pam_get_authtok instead of _unix_read_password. (pam_sm_chauthtok): Remove UNIX_NOT_SET_PASS support. * pam_tcb/support.c (data_cleanup, _unix_read_password): Remove unused functions. (unix_bools): Replace "not_set_pass" with "use_first_pass" and "try_first_pass". (parse_opt): Remove manual handling of "use_first_pass" and "try_first_pass". (_set_ctrl): Replace "authtok_usage=" with "authtok_type=" in the_cmdline_opts. Remove manual handling of "authtok_usage=". * pam_tcb/support.h (UNIX_USE_FIRST_PASS, UNIX_TRY_FIRST_PASS, UNIX_AUTHTOK_TYPE): New enum constants. (PROMPT_PASS, PROMPT_OLDPASS, PROMPT_NEWPASS1, PROMPT_NEWPASS2, MESSAGE_MISTYPED): Remove unused macros. (UNIX_NOT_SET_PASS, USE_NONE, USE_TRY, USE_FORCED): Remove unused enum constants. (struct pam_unix_params): Remove unused authtok_usage field. (_unix_read_password): Remove unused prototype. 2018-05-22 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: drop obsolete NIS/NIS+ support. The GNU C library, starting with version 2.26, deprecated libnsl. As result, pam_tcb no longer builds with modern versions of glibc configured without --enable-obsolete-nsl option. While glibc recommends to use replacement implementations based on TIRPC, it's time to get rid of obsolete NIS/NIS+ support altogether. * pam_tcb/yppasswd.h: Remove. * pam_tcb/yppasswd_xdr.c: Likewise. * pam_tcb/Makefile: Do not link with -lnsl. (LIBSRC): Remove yppasswd_xdr.c. * pam_tcb/pam_tcb.8: Remove references to NIS+. * pam_tcb/pam_unix_passwd.c: Remove NIS/NIS+ support. * pam_tcb/support.c: Likewise. * pam_tcb/support.h: Likewise. * progs/tcb_convert.8: Remove references to nis and nisplus. 2012-05-24 Dmitry V. Levin <ldv at owl.openwall.com> pam_tcb: Implement i18n support. Linux-PAM starting with release 0.81 implements i18n support using gettext. This change extends i18n support to pam_tcb. The i18n support is not enabled by default, define both ENABLE_NLS and NLS_PACKAGE macros to enable it. When NLS_PACKAGE macro is defined to "Linux-PAM", pam_tcb will re-use translated messages from Linux-PAM. * pam_tcb/support.h: Mark all messages for translation. Pass through dgettext all messages marked for translation when both ENABLE_NLS and NLS_PACKAGE macros are defined. 2011-07-17 Solar Designer <solar at owl.openwall.com> * tcb.spec: 1.1, "Requires: glibc-crypt_blowfish >= 1.2". * pam_tcb/support.c (_set_ctrl), pam_tcb/pam_tcb.8: changed the default hash encoding prefix from "$2a$" to "$2y$" (requires crypt_blowfish 1.2 or newer). 2010-06-07 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.6. * libs/libtcb.c (tcb_is_suspect): Drop faulty check for sparse files. It was based on a wrong assumption that st_blksize indicates the size of allocated blocks. Also, the notion of sparse files does not apply to filesystems with compression turned on. The purpose of this check was to prevent some DoS attacks on root invoking user management tools and on services doing authentication. On a system with tcb shadow files, if group shadow access is somehow compromised, those files may be directly written to by their corresponding users as well as made sparse, which is what made this check somewhat desirable, but it was insufficient and problematic. Bug reported by Jim Darby <jim at jimbocorp.uklinux.net>. 2010-02-25 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.5. 2010-02-14 Dmitry V. Levin <ldv at owl.openwall.com> Decrease the size of tcb_privs structure allocated in .data segment from 256K to a two dozen bytes by moving a groups array to .bss segment. * include/tcb.h (TCB_NGROUPS): Set to fixed value 1024 to reduce a waste of address space. The former value NGROUPS_MAX is immensely large nowdays, and root privileged processes are not expected to have so large list of supplementary groups anyway. (struct tcb_privs): Move the groups array outside the structure. * libs/libtcb.c (glob_grplist): New static groups array. (tcb_drop_priv_r): Set errno in case of invalid use. (glob_privs, tcb_drop_priv_r, tcb_drop_priv): Update for the change of tcb_privs structure. * libs/nss.c (tcb_safe_open): Likewise. 2010-02-10 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.4. * LICENSE: Update copyright for 2010 year. 2010-01-20 Dmitry V. Levin <ldv at owl.openwall.com> * libs/libtcb.c (tcb_drop_priv_r): Fix potential grpbuf buffer overflow. This function is expected to return -1 if the buffer in tcb_privs structure is not sufficiently large to store all supplementary groups, but it didn't. It treated 1st argument of getgroups(2) as the size of buffer in bytes, but according to specs it should be set to the size of buffer in items that can be stored there. To reproduce the bug, one has to build tcb with NGROUPS_MAX value lesser than the value defined in /proc/sys/kernel/ngroups_max, and set an appropriate (greater than NGROUPS_MAX) number of supplementary groups for the calling process. There doesn't appear to be any untrusted user input involved. Thus, this bug doesn't have to be treated as a security issue. 2010-01-19 Dmitry V. Levin <ldv at owl.openwall.com> * libs/Makefile: Use LDFLAGS more consistently. * progs/Makefile: Likewise. Reported by Paweł Hajdan, Jr. <phajdan.jr at gentoo.org>. 2009-04-03 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.3. 2009-04-02 Dmitry V. Levin <ldv at owl.openwall.com> * LICENSE: Update copyright for 2009 year. * pam_tcb/pam_unix_passwd.c (update_file): Call fflush(3) and fsync(2). Reported by Ermanno Scaglione <erm67 at yahoo.it>. * pam_tcb/support.c (_unix_fork, unix_run_helper_binary): Replace all calls to exit(3) in child processes with calls to _exit(2). Reported by Pascal Terjan <pterjan at mandriva.com>. 2006-10-31 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.2. * pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Free retval_data pointer on error path. * pam_tcb/support.c (user_in_nisdb): Free userinfo string. * progs/tcb_chkpwd.c (zeroise): New function, zeroises string. (unix_verify_password): Free stored_hash string, zeroise hash strings. Reported by Alexander Kanevskiy. 2006-05-06 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0.1. * LICENSE: Updated copyright for 2006 year. * pam_tcb/pam_unix_sess.c (pam_sm_open_session): Fail with PAM_SESSION_ERR for unknown users. 2005-12-28 Dmitry V. Levin <ldv at owl.openwall.com> * tcb.spec: 1.0. * LICENSE: Updated copyrights for 2004 and 2005 years. * pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Bump syslog priorities of three error messages. 2005-09-26 Dmitry V. Levin <ldv at owl.openwall.com> Update logging code to use pam_syslog. Update conversation code to use pam_prompt. * include/attribute.h (TCB_GNUC_PREREQ, TCB_FORMAT, TCB_NONNULL): New macro. (unused): Rewrite using TCB_GNUC_PREREQ. * pam_tcb/compat.c: New file, defines pam_syslog and pam_prompt if PAM does not provide them. * pam_tcb/compat.h: New file, defines prototypes for pam_syslog and pam_prompt if PAM does not provide them. * pam_tcb/Makefile (LIBSRC): Add compat.c. * pam_tcb/pam_unix_acct.c (acct_shadow): Add pam handle parameter. (pam_sm_acct_mgmt): Pass pam handle to functions which now require it. Replace _log_err with pam_syslog. Replace _make_remark with pam_error and pam_info. * pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred): Pass pam handle to functions which now require it. (pam_sm_authenticate): Replace _log_err with pam_syslog. * pam_tcb/pam_unix_passwd.c (PASSWD_TMP_FILE): Remove macro. (update_file): New function, based on update_passwd and update_shadow. (update_passwd, update_shadow): Rewrite using update_file. (get_nis_server, update_nis, do_setpass): Add pam handle parameter. (get_nis_server, update_nis, do_setpass, unix_approve_pass, unix_prelim, pam_sm_chauthtok): Pass pam handle to functions which now require it. Replace _log_err with pam_syslog. Replace _make_remark with pam_error. * pam_tcb/pam_unix_sess.c (pam_sm_open_session, pam_sm_close_session): Pass pam handle to functions which now require it. Replace _log_err with pam_syslog. * pam_tcb/support.c (_log_err, converse, _make_remark): Remove no longer used functions. (_unix_fork, user_in_file, _unix_user_in_db, unix_blankpasswd_plain, _unix_blankpasswd, check_crypt, unix_verify_password_plain, crypt_wrapper_ra, crypt_wrapper, do_crypt, parse_opt, _set_ctrl): Add pam handle parameter. Pass pam handle to functions which now require it. Replace _log_err with pam_syslog. (_unix_read_password): Rewrite prompt handling to use pam_info and pam_prompt. * pam_tcb/support.h: Include "attribute.h" and "compat.h". (cmdline_opts): Add const qualifier to optname variable. (cb_func, _unix_user_in_db, _unix_fork, _set_ctrl, _unix_blankpasswd, _unix_read_password, crypt_wrapper, do_crypt): Update function prototypes. (_log_err, _make_remark): Remove prototypes of removed functions. 2005-09-12 Dmitry V. Levin <ldv at owl.openwall.com> Implement OpenPAM build support. * Make.defs (CFLAGS): Remove -DLINUX_PAM. * pam_tcb/pam_unix_acct.c: Include <syslog.h>. Include <security/pam_appl.h> if and only if [!__LIBPAM_VERSION && !__LINUX_PAM__]. * pam_tcb/pam_unix_auth.c: Likewise. * pam_tcb/pam_unix_passwd.c: Likewise. * pam_tcb/pam_unix_sess.c: Likewise. * pam_tcb/support.c: Likewise. * pam_tcb/support.h: Define pam_item_t and pam_data_t. * pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt): Change type of item variable. * pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred): Likewise. * pam_tcb/pam_unix_passwd.c (unix_prelim, pam_sm_chauthtok): Likewise. * pam_tcb/pam_unix_sess.c (pam_sm_open_session, pam_sm_close_session): Likewise. * pam_tcb/support.c (converse, failures_cleanup, do_record_failure, _unix_read_password): Likewise. * pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Protect code which uses PAM_CONV_AGAIN and PAM_INCOMPLETE with appropriate ifdefs. * pam_tcb/support.c (converse): Likewise. 2005-09-11 Dmitry V. Levin <ldv at owl.openwall.com> * pam_tcb/pam_unix_auth.c (pam_sm_authenticate): Do not override user prompt in calls to pam_get_user, recent PAM releases provide better default. * pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Likewise. * pam_tcb/support.h: Remove PROMPT_USER. * pam_tcb/pam_unix_passwd.c (pam_sm_chauthtok): Fix password string check to avoid potential NULL dereference. * pam_tcb/support.c (unix_verify_password_plain): Check password string to avoid potential NULL dereference. (unix_run_helper_binary): Remove redundant password string check. * progs/tcb_unconvert.c (copy_user_from_tcb): Add const qualifier to msg variable, to fix warning reported by "gcc -Wwrite-strings". 2005-08-23 Dmitry V. Levin <ldv at altlinux.org> Package pam_pwdb.so symlink and pam_pwdb(8) manual page link. * pam_tcb/pam_pwdb.8: New file. * Makefile, pam_tcb/Makefile, tcb.spec: Install pam_pwdb.so and pam_pwdb.8. * tcb.spec: 0.9.9. 2005-08-19 Dmitry V. Levin <ldv at altlinux.org> In the PAM module, implement "openlog" option and disable openlog/closelog calls for each logging function invocation by default. * pam_tcb/support.h: Rename UNIX_NOOPENLOG to UNIX_OPENLOG. * pam_tcb/support.c (_log_err): When UNIX_OPENLOG is not set, prefix log line with the module name. (bool_names): Add negate field. (unix_bools): Add "openlog" option. (parse_opt): Handle negate field. (_set_ctrl) [ENABLE_OPENLOG]: Set UNIX_OPENLOG. * pam_tcb/pam_tcb.8: Document "openlog" option. 2005-08-18 Dmitry V. Levin <ldv at altlinux.org> Restrict list of global symbols exported by the library, NSS and PAM modules. * libs/Makefile: New variables: LIB_MAP and NSS_MAP. Pass --version-script argument when linking shared library and the NSS module. * libs/libnss_tcb.map: New file, version script for the NSS module. * libs/libtcb.c (ch_uid, ch_gid): Make static. * libs/libtcb.map: New file, version script for the library. * pam_tcb/Makefile: New variable: PAM_MAP. Pass --version-script argument when linking the PAM module. * pam_tcb/pam_tcb.map: New file, version script for the PAM module. 2005-04-22 Dmitry V. Levin <ldv at altlinux.org> Enhance multilib support. * Make.defs: New variables: SLIBDIR and LIBDIR. * libs/Makefile, pam_tcb/Makefile, tcb.spec: Use them. * libs/Makefile, pam_tcb/Makefile, misc/Makefile, progs/Makefile: Create all necessary directories in the beginning of install target. 2005-04-22 Dmitry V. Levin <ldv at altlinux.org> Deal with compilation warnings generated by new gcc compiler. * include/attribute.h: New file. * libs/libtcb.c, pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_auth.c, pam_tcb/support.c, pam_tcb/support.h: Include it. * include/attribute.h, pam_tcb/support.h (_log_err): Add workaround for those systems which lack support for __attribute__ directive. * pam_tcb/support.c (_log_err): Remove no longer needed __attribute__ directive. * libs/libtcb.c (alarm_catch), pam_tcb/pam_unix_auth.c (retval_cleanup), pam_tcb/pam_unix_passwd.c (update_nis), pam_tcb/support.c (data_cleanup): Mark unused arguments with "unused" attribute. * libs/libtcb.c (ch_uid, ch_gid, tcb_drop_priv_r), progs/tcb_chkpwd.c (is_two_strings), pam_tcb/support.c (_set_ctrl): Avoid comparison between signed and unsigned. * pam_tcb/support.c (unix_run_helper_binary, unix_verify_password_plain): Eliminate unused variable pamh. * pam_tcb/pam_unix_acct.c (pam_sm_acct_mgmt), pam_tcb/pam_unix_auth.c (pam_sm_authenticate, pam_sm_setcred), pam_tcb/pam_unix_passwd.c (update_nis, do_setpass, unix_prelim, pam_sm_chauthtok), pam_tcb/pam_unix_sess.c (pam_sm_open_session, pam_sm_close_session), pam_tcb/support.c (converse, failures_cleanup, do_record_failure, _unix_read_password): Fix the strict aliasing issues. * tcb.spec: 0.9.8.9. 2004-06-25 Dmitry V. Levin <ldv at altlinux.org> * progs/tcb_unconvert.c (copy_from_tcb): Zero errno before each readdir(3) call. * tcb.spec: 0.9.8.8. 2003-11-02 Solar Designer <solar at owl.openwall.com> * pam_tcb/Makefile: Use -fPIC. * libs/Makefile, misc/Makefile, pam_tcb/Makefile, progs/Makefile, tcb.spec: Renamed FAKEROOT to DESTDIR. * tcb.spec: 0.9.8.7. 2003-10-29 Solar Designer <solar at owl.openwall.com> * libs/nss.c, libs/libtcb.c, pam_tcb/support.c, pam_tcb/pam_unix_passwd.c, pam_tcb/pam_unix_acct.c, progs/tcb_convert.c, progs/tcb_unconvert.c: Don't depend on *BSD-style asprintf(3) semantics as Ulrich has rejected that patch. * README: New file, explains how tcb may be built on non-Owl. * tcb.spec: 0.9.8.6. 2003-04-18 Solar Designer <solar at owl.openwall.com> * misc/tcb.5, pam_tcb/pam_tcb.8, progs/tcb_convert.8: Use bold face for component names in .SH NAME, but avoid *roff commands to not confuse makewhatis and apropos(1). * LICENSE: Updated copyrights for year 2003. * tcb.spec: 0.9.8.5. 2003-04-16 Dmitry V. Levin <ldv at altlinux.org> * pam_tcb/support.c: Implemented proper fake salt creation to avoid a timing attack. * tcb.spec: 0.9.8.4. 2002-10-31 Solar Designer <solar at owl.openwall.com> * progs/tcb_chkpwd.c: Optimized unix_verify_password() a bit, from Dmitry V. Levin <ldv at altlinux.org>. * tcb.spec: 0.9.8.3. 2002-10-30 Solar Designer <solar at owl.openwall.com> * progs/tcb_convert.8: Noted that /etc/shadow backups need to be removed as well, with /etc/shadow- as the particular example. * tcb.spec: 0.9.8.2. 2002-10-24 Solar Designer <solar at owl.openwall.com> * libs/nss.c, libs/libtcb.c, pam_tcb/support.c, progs/tcb_chkpwd.c, progs/tcb_unconvert.c, misc/tcb.5: Cleaned up the recent changes. * tcb.spec: Set version to 0.9.8.1. 2002-08-20 Rafal Wojtczuk <nergal at owl.openwall.com> * libs/nss.c, progs/tcb_unconvert.c, misc/tcb.5: Merged enhancements which remove 32K users limit. * libs/libtcb.c, include/tcb.h: Added ENABLE_SETFSUGID. * pam_tcb/support.c, progs/tcb_chkpwd.c: Pass the username to the helper binary such that it can handle non-unique UIDs. * tcb.spec, libs/Makefile: Set version to 0.9.8. 2002-08-19 Solar Designer <solar at owl.openwall.com> * tcb.spec, libs/Makefile: Moved libtcb.so symlink to /usr/lib (patch from Dmitry V. Levin). 2002-08-04 Solar Designer <solar at owl.openwall.com> * pam_tcb/pam_tcb.5, pam_tcb/pam_unix.5: Moved these manual pages to section 8 (the files are now gone). * pam_tcb/pam_tcb.8, pam_tcb/pam_unix.8: New files, based on the section 5 manual pages with minor changes. * tcb.spec, misc/tcb.5, progs/tcb_convert.8, pam_tcb/Makefile: Updates to reflect the above change. * libs/Makefile: Use trailing slashes after directories with install commands. 2002-07-07 Solar Designer <solar at owl.openwall.com> * pam_tcb/pam_unix_acct.c, pam_tcb/pam_unix_passwd.c: No longer let root enforced password changes (sp_lstchg == 0) take precedence over expired accounts (sp_expire). 2002-05-19 Solar Designer <solar at owl.openwall.com> * Make.defs: Renamed SYSBIN to SBINDIR, define LIBEXECDIR. * tcb.spec, progs/Makefile, pam_tcb/Makefile, pam_tcb/pam_tcb.5, misc/tcb.5: Moved the chkpwd directory to /usr/libexec. * misc/Makefile: Deal with SBINDIR and LIBEXECDIR. 2001-11-28 Dmitry V. Levin <ldv at altlinux.org> * pam_tcb/support.c: Replaced signal call with sigaction call. * pam_tcb/support.c: Fixed possible "dereferencing NULL" typo. * progs/tcb_chkpwd.c: Test also stdout for isatty. * progs/Makefile: Create relative symlink instead of absolute. * libs/nss.c: Fixed glibc-2.2.4 compilation warning. * pam_tcb/pam_unix_passwd.c: Likewise. * progs/tcb_unconvert.c: Likewise.