While this question is discussed - don't you want to consider complete
switch from pam_tcb to pam_unix (as used in other distros) and from
blowfish (iirc, it is still used for passwords in cooker) to sha? We
performed such a move in ROSA not long ago, since it turned out that the
old way doesn't integrate well with new Gnome.
Blowfish encryption seems to come from old MDV; not sure what was the
reason for this, but this definitely decrease security.
On 18.02.2014 21:55, [email protected] wrote:
While helping fedya to debug some problems in the aarch64
chroot, I found that only mandriva* has this:
$ rpm -q --scripts pam
[...]
if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then
/usr/sbin/set_tcb --auto --migrate
fi
[...]
note that also, from tested distros (well, suse and fedora) only
mandriva* has a USE_TCB string in /etc/login.defs, but the scriplet
is very naive, because the USE_TCB string in mandriva* is setting it
to "no" ...
I think it is safe to match other distros and remove that scriptlet.
pam_tcb is supposed to be an alternative to shadow, and that may
cause a lot of harm...
This probably was also the reason I did need to fix my cooker vm
because /etc/shadow was corrupted, and all started, apparently
after forcing a rebuild of libutempter to "fix" dependency issues
generating a new chroot.
For better archeology:
http://svn.mandriva.com/viewvc/packages/cooker/pam/current/SPECS/pam.spec?view=annotate
Thanks,
Paulo
