RE: [Users] create CT with password
On Tue, Nov 11, 2008 at 10:58:46AM +0100, Dietmar Maurer wrote: Is there are real world example where my approach does not work? I think your approach won't work as is, at least in any tcb-enabled system (see http://www.openwall.com/tcb/) for two obvious reasons: - file where root shadow entry is stored is not /etc/shadow; I guess it is possible to detect the file and store the password? - password hashing algorithm in the host system and in containers may differ (this issue is not specific to tcb). If I interpret the documentation correct the password includes the algorithm used to encode it - so auth will succeed no matter how you configure pam_unix (hashing algorithm configuration is only used to store password) - Dietmar ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
RE: [Users] create CT with password
I think your approach won't work as is, at least in any tcb-enabled system (see http://www.openwall.com/tcb/) for two obvious reasons: - file where root shadow entry is stored is not /etc/shadow; I guess it is possible to detect the file and store the password? It is a simple test for '/etc/tcb/root/shadow' ? - Dietmar ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
Re: [Users] create CT with password
Hi, On Tue, Nov 11, 2008 at 10:58:46AM +0100, Dietmar Maurer wrote: Is there are real world example where my approach does not work? I think your approach won't work as is, at least in any tcb-enabled system (see http://www.openwall.com/tcb/) for two obvious reasons: - file where root shadow entry is stored is not /etc/shadow; - password hashing algorithm in the host system and in containers may differ (this issue is not specific to tcb). -- ldv pgpwS7PuyslJg.pgp Description: PGP signature ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
RE: [Users] create CT with password
Is there are real world example where my approach does not work? I check for /etc/shadow, and store as md5 - AFAIK the user is able to login with that password on all distribution using pam_unix. If not, we can still try to read and parse the pam configuration. It will not work for nis, but that is a rare case. But nis requires a network anyways, so the current code also fails. So how can I create a VM with a password? For example: # vzctl create # vzctl start # vzctl set --password can also fail because the network is not running when we execute the passwd command (vzctl start does not wait until the network is fully functional, and passwd requires the network when it uses nis). Or is that wrong? - Dietmar The only problem is the solution is not generic. In other words, we can't know how different distros handle local users. It used to be crypt(3) and /etc/passwd (later /etc/shadow) manipulation. Now everybody uses PAM which can be configured in this or that way. For example, new passwords are checked (by pam_cracklib) for minimum length etc. (see pam_cracklib(8) for much more details). Also they could be stored in a different ways (this applies to both storage and hashes), say use (or not use) /etc/shadow, md5 or sha256 hash or even NIS (see pam_unix(8) for more details). I just thought my approach works in 99,99% of all cases, but maybe I am wrong. ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
Re: [Users] create CT with password
On Tue, Nov 11, 2008 at 12:29:04PM +0100, Dietmar Maurer wrote: On Tue, Nov 11, 2008 at 10:58:46AM +0100, Dietmar Maurer wrote: Is there are real world example where my approach does not work? I think your approach won't work as is, at least in any tcb-enabled system (see http://www.openwall.com/tcb/) for two obvious reasons: - file where root shadow entry is stored is not /etc/shadow; I guess it is possible to detect the file and store the password? In tcb-enabled system root shadow entry is usually stored in the /etc/tcb/root/shadow file. - password hashing algorithm in the host system and in containers may differ (this issue is not specific to tcb). If I interpret the documentation correct the password includes the algorithm used to encode it - so auth will succeed no matter how you configure pam_unix (hashing algorithm configuration is only used to store password) This way you'll have to either use the most weak hashing algorithm supported by every container OS, or risk that your modern hashing algorithm is not supported by some container OS. -- ldv pgpnshXnZdypy.pgp Description: PGP signature ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
RE: [Users] create CT with password
This way you'll have to either use the most weak hashing algorithm supported by every container OS, or risk that your modern hashing algorithm is not supported by some container OS. We can customize the scripts per OS (as we do already for other settings). And md5 is supported on almost any system? - Dietmar ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
Re: [Users] create CT with password
Dietmar Maurer wrote: Is there are real world example where my approach does not work? I check for /etc/shadow, and store as md5 - AFAIK the user is able to login with that password on all distribution using pam_unix. If not, we can still try to read and parse the pam configuration. It will not work for nis, but that is a rare case. But nis requires a network anyways, so the current code also fails. So how can I create a VM with a password? For example: # vzctl create # vzctl start # vzctl set --password can also fail because the network is not running when we execute the passwd command (vzctl start does not wait until the network is fully functional, and passwd requires the network when it uses nis). For NIS you would add users and change passwords on the NIS-master, or are you setting up the VE as a pre-configured NIS-slave perhaps ? ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
RE: [Users] create CT with password
And is it really possible to store the root password on NIS? What happen on filesystem errors - usually single user mode ask for a password before fsck. But sure, that can't happen within a container. - Dietmar ___ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
