tiwe-de / libpam-pwdfile Goto Github PK

Hello.
I want to use this module in old version of CentOS 5.
Is there any way to use it on this distro? I've tried to use it with ssh, but it fails to load with this message:

Jun 16 21:40:17 localhost sshd[3738]: PAM unable to dlopen(/lib64/security/pam_pwdfile.so)
Jun 16 21:40:17 localhost sshd[3738]: PAM [error: /lib64/security/pam_pwdfile.so: undefined symbol: pam_get_authtok]
Jun 16 21:40:17 localhost sshd[3738]: PAM adding faulty module: /lib64/security/pam_pwdfile.so

Thanks for the work about this module, it's cool!

There's a little bug here:

When I compiled the code in Centos, it will end up by this error:

/usr/bin/ld: dynamic/pam_pwdfile.o: relocation R_X86_64_32S against `a local symbol' can not be used when making a shared object; recompile with -fPIC
dynamic/pam_pwdfile.o: could not read symbols: Bad value
collect2: ld returned 1 exit status

And I certainly followed the error instruction to add '-fPIC' to replace:

CFLAGS += -D_BSD_SOURCE

by :

CFLAGS += -D_BSD_SOURCE -fPIC

Is that a by design or just a missing of '-fPIC'.

By the way:

The compilation instruction is a little too cost, my way is:

1. Download the PAM tarball(The tarball in linux kernel is removed):
   wget -c http://pkgs.fedoraproject.org/repo/pkgs/pam/Linux-PAM-0.75.tar.bz2/2f19d6f6908e46d8b4d115e9f842d147/Linux-PAM-0.75.tar.bz2
2. untar it and configure
   tar xvjf Linux-PAM-0.75.tar.bz2 && configure && cd Linux-PAM-0.75/modules
3. get pwdfile code and compile it(don't forget add the -fPIC):
   git clone git://github.com/tiwe-de/libpam-pwdfile.git && cd libpam-pwdfile && make all

Looking into you code I see
if (!(pwdfile = fopen(pwdfilename, "r"))) {
directly in the PAM module code. This means that if this module is called by non root application (screensaver, su, etc.) it can no be read. And if it can be read, this means it's permissions are world readable which is not good for password files.
I have the same issue with my PAM module and I found that authorization part should be put to a separate NSS module.

Apache's htpasswd uses a slightly different hashing method (signature $apr1$) for MD5-encoded passwords than the method supported by libpam-pwdfile (signature $1$). That leads to situations like this: http://serverfault.com/questions/450214/vsftpd-will-not-accept-passwords-encrypted-with-md5

It is possible to still use htpasswd with the -d flag, but that leads to less-secure hashes and an 8-character password length limit.

Here is a patch to enable support for Apache-style MD5 passwords in libpam-pwdfile:
https://gist.github.com/powerpiglet/b3b1c9f68afc39faf85d

Any chance you would push an updated version for Ubuntu Precise?
It would be good for security, considering the version available in repository (libpam-pwdfile (0.99-4)) does not support hashes better than md5 and wasn't updated in a long time.
Otherwise, do you know any other Ubuntu/Deb package for reading password files?

Thanks