From owner-freebsd-security@FreeBSD.ORG Mon Feb 23 14:44:24 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25DAD106564A for ; Mon, 23 Feb 2009 14:44:24 +0000 (UTC) (envelope-from krassi@bulinfo.net) Received: from mx.bulinfo.net (mx.bulinfo.net [193.194.156.1]) by mx1.freebsd.org (Postfix) with ESMTP id CC84F8FC19 for ; Mon, 23 Feb 2009 14:44:23 +0000 (UTC) (envelope-from krassi@bulinfo.net) Received: from localhost (localhost [127.0.0.1]) by mx.bulinfo.net (Postfix) with ESMTP id D8355BE70 for ; Mon, 23 Feb 2009 16:27:19 +0200 (EET) Received: from mx.bulinfo.net ([127.0.0.1]) by localhost (mx.bulinfo.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87011-04 for ; Mon, 23 Feb 2009 16:27:16 +0200 (EET) Received: from [192.168.2.188] (pythia.bulinfo.net [212.72.195.5]) by mx.bulinfo.net (Postfix) with ESMTP id 6106ABD67 for ; Mon, 23 Feb 2009 16:27:16 +0200 (EET) Message-ID: <49A2B244.3000307@bulinfo.net> Date: Mon, 23 Feb 2009 16:27:16 +0200 From: Krassimir Slavchev User-Agent: Thunderbird 2.0.0.14 (X11/20080616) MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at mx.bulinfo.net Subject: OpenSolaris Cryptographic Framework X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2009 14:44:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello All, Is there any plans to import the Cryptographic Framework from OpenSolaris to FreeBSD? Reference: http://opensolaris.org/os/project/crypto/ Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFJorJExJBWvpalMpkRAvrwAJ9Aljih91ZGrH5PyiDmQq0emMVIswCeKRJG A4tkeKHLNToe479kr8p2CbM= =ys/e -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 16:06:53 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AF0F106566C for ; Tue, 24 Feb 2009 16:06:53 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.183]) by mx1.freebsd.org (Postfix) with ESMTP id D98A98FC12 for ; Tue, 24 Feb 2009 16:06:52 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by el-out-1112.google.com with SMTP id r27so1811367ele.13 for ; Tue, 24 Feb 2009 08:06:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=FtwZkKbN2JXIAdiFAa2geGJlzELS+9sPnB7/QsWFBMk=; b=lGN8fNigeMP1Rq7+wt2aufO/8vBPinydZ5NOcjMqoKvkFUxA9wUJSUURqsYGUbULPy 32FbMm7MrKfyc2d94NNqXCv0/1G6IFXrETuwif++Uf0EJ1HsHDccBEgTs+YPcWyaXhVH DGQl1xlZoigKBvUfb2MasJX2r6WKjM/F0irCo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=DgsI5TkqmSHGuTWJB9/epEIDYQVAX2yQRgUlWBj6uY07JnyBy/U3IQxULhTylf79xi 7tWgN2QuD8m+9eAAmbQGJ2xZ7xJZGiHViqQY+kr8CotSZLtR0tmz09Jw0lxtlC5XTqJR wAiByL5YnIiEvse++f6B3v6QVZJv5bBLk31aY= MIME-Version: 1.0 Received: by 10.231.14.196 with SMTP id h4mr7900173iba.36.1235488620513; Tue, 24 Feb 2009 07:17:00 -0800 (PST) Date: Tue, 24 Feb 2009 20:47:00 +0530 Message-ID: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> From: Ivan Grover To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 16:06:53 -0000 Hi All, I had PAM rules for my own service as below: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_deny.so This used to work properly in my older PAM libraries. For successfull authentication, it used to return from pam_stack.so as system-auth has sufficient in its rules as below and it doesnt pass below the stack to pam_deny.so auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and library, It doesnt work, To make it work, I need to remove the last one, pam_deny.so as below. auth required pam_stack.so service=system-auth auth required pam_nologin.so Can any one please let me know if you have seen similar problem. Any suggestions/comments, please advice. From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 19:41:39 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 316D410656C5 for ; Tue, 24 Feb 2009 19:41:39 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id E837C8FC12 for ; Tue, 24 Feb 2009 19:41:38 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id EF1136D449; Tue, 24 Feb 2009 19:41:37 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id D536B844DF; Tue, 24 Feb 2009 20:41:37 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Ivan Grover References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> Date: Tue, 24 Feb 2009 20:41:37 +0100 In-Reply-To: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> (Ivan Grover's message of "Tue, 24 Feb 2009 20:47:00 +0530") Message-ID: <86eixnfwr2.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 19:41:40 -0000 Ivan Grover writes: > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and > library [...] Upgrading from what to what? Have you tried the standard debugging procedure? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 14:18:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C26461065676 for ; Fri, 27 Feb 2009 14:18:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 7C4558FC1E for ; Fri, 27 Feb 2009 14:18:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so751625ywt.13 for ; Fri, 27 Feb 2009 06:18:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ZnWIafe2Z2ctsRkt1G6U2TlmIQt1pnM+tMhVjCUZy/A=; b=mVRWCpU25eFWeXv/tPRBo1kqL1KfTt9i/v5PHV6uqy2rXRaxY3+nhsslRlOfu+t2HQ 1EqQAwoBkNbcjiKVA1ZFaFmxG4GvN0CDYnsXLSpYKl5rO0r1ekMDmldS8Ntt7kkvWnzS O/ypLR6vvNa2P/ntb5NZspY2MWF8bCyraVlwE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rRUIEMsXYbmrG+EI+hW4JywN5Piyj2OTms8/hzUYui33hKTioXqhTkIpTPlPQBHW5W WlEE99smy705P8n1dvtUFWY1RwnQt3mcnIe8xyVsuNrqsvve5PHuP6Pv1326z4Pc16jP 1ImJcnLCJoviH2MKzYtq2w4yzXjU+I2cJLMzM= MIME-Version: 1.0 Received: by 10.231.20.3 with SMTP id d3mr2370513ibb.18.1235744321807; Fri, 27 Feb 2009 06:18:41 -0800 (PST) In-Reply-To: <86eixnfwr2.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> Date: Fri, 27 Feb 2009 19:48:41 +0530 Message-ID: <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> From: Ivan Grover To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 14:18:43 -0000 Hi, Iam sorry my observation was wrong. I debugged the problem, it looks strange, these are my findings : I have my PAM rules for my service as auth required /lib/security/pam_securetty.so auth required pam_stack.so service=3Dsystem-auth auth required /lib/security/pam_nologin.so The pam_unix module returns authentication failure from pam_unix.so from pam_stack.so , hence the control reaches pam_nologin.so. The same rules work well with telnet/ftp , but fails for my service I have checked the username, password passed to PAM module by changing the sources of pam_nologin.so, they are proper. I didnt had sources for pam_unix, so iam not able to detect the exact problem. My suspect is that my application using my PAM service might have done some fd leaks or any other problem. But the max fds open by my application are 185 which is still below max limit(OPEN_MAX) Restarting the application resolves the problem and iam able to authenticat= e user can anyone help me what could be the problem. Thanks and Best Regards, On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Sm=F8rgrav wrote: > Ivan Grover writes: > > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and > > library [...] > > Upgrading from what to what? > > Have you tried the standard debugging procedure? > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 16:10:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7CE41065670 for ; Fri, 27 Feb 2009 16:10:43 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id 60B978FC15 for ; Fri, 27 Feb 2009 16:10:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by yx-out-2324.google.com with SMTP id 31so781949yxl.13 for ; Fri, 27 Feb 2009 08:10:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Lc2xW1Zgo5bkaJGTI8OSUV/l5HmpOWxh2Lfb94NEESA=; b=prVO2oT+r6FUSGZwT+8WkS0p7O29/u4/3+PmcOiRM7Zrxi40aTqGUL/y0j+bGPnNXU 83feJdxUt8pQT/o9qvb70vnF3muLaaqql0go8jr8SYnD9KreYwN/GUCA2P/IgtkRKEbH na3+vojDJiQCW/c1ywdzZsgojSOeolMRCKRSM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Q2r3vHXqktYy46Qo7Aqn1IxZ1H7JHXUG4P5HC3mftezcR1D0xL7VBH/+S/URrk+hN4 cwJ/b02evO3Dt++s7FWzY0xkyVXIRYreWI4qm1cWY1kTY2O/e5ZmdTpoZ+Xst1TfWhqq DToB7HilMNqdov9n3rg86RQy4xeqWAC4pwTbs= MIME-Version: 1.0 Received: by 10.231.19.204 with SMTP id c12mr2380500ibb.39.1235751042173; Fri, 27 Feb 2009 08:10:42 -0800 (PST) In-Reply-To: <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> Date: Fri, 27 Feb 2009 21:40:42 +0530 Message-ID: <670f29e20902270810h22adc102rd9500d74208b1f11@mail.gmail.com> From: Ivan Grover To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 16:10:44 -0000 I debugged pam_unix aswell, it looks like crypt function is giving different strings for telnet and my application with same passwd string and salt. So i think the issue could be with crypt library linked telnet and my application. please let me know your thoughts crypt(plaintext_ptr, salt); On Fri, Feb 27, 2009 at 7:48 PM, Ivan Grover wrote: > Hi, > Iam sorry my observation was wrong. > > I debugged the problem, it looks strange, these are my findings : > > I have my PAM rules for my service as > > auth required /lib/security/pam_securetty.so > auth required pam_stack.so service=3Dsystem-auth > auth required /lib/security/pam_nologin.so > > The pam_unix module returns authentication failure from pam_unix.so from > pam_stack.so , hence the control reaches pam_nologin.so. > > The same rules work well with telnet/ftp , but fails for my service > > I have checked the username, password passed to PAM module by changing th= e > sources of pam_nologin.so, they are proper. I didnt had sources for > pam_unix, so iam not able to detect the exact problem. > > My suspect is that my application using my PAM service might have done so= me > fd leaks or any other problem. But the max fds open by my application are > 185 which is still below max limit(OPEN_MAX) > > Restarting the application resolves the problem and iam able to > authenticate user > > > can anyone help me what could be the problem. > > > Thanks and Best Regards, > > > > On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Sm=F8rgrav wrote= : > >> Ivan Grover writes: >> > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and >> > library [...] >> >> Upgrading from what to what? >> >> Have you tried the standard debugging procedure? >> >> DES >> -- >> Dag-Erling Sm=F8rgrav - des@des.no >> > >