Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sys-apps/shadow blockage, pam or cracklib [closed]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10310
Location: Córdoba (Spain)

PostPosted: Sat Aug 22, 2020 4:37 pm    Post subject: sys-apps/shadow blockage, pam or cracklib [closed] Reply with quote

Hi.

I've just been greeted by this blockage on a regular system update.

Code:

# eu -n

These are the packages that would be merged, in order:

Calculating dependencies \

!!! Problem resolving dependencies for sys-apps/shadow from @system
... done!

!!! The ebuild selected to satisfy "sys-apps/shadow" has unmet requirements.
- sys-apps/shadow-4.8-r5::gentoo USE="cracklib nls pam (split-usr) su xattr -acl -audit -bcrypt (-selinux) -skey" ABI_X86="(64)"

  The following REQUIRED_USE flag constraints are unsatisfied:
    at-most-one-of ( cracklib pam )

(dependency required by "@system" [set])
(dependency required by "@world" [argument])
Error while running emerge, aborting...


Knowing that this is the kind of decision that can make me waste a whole evening debugging this I will ask here before gracefully discarding one of those USE flags. I think that the cracklib related functionality is mostly about checking password strength, so it should not be critical.

However I know not much about pam but I know that, even when I never touched it by my own decission, I have stumbled with it several times in the last two decades, with problems related to loging-in and desktop session stuff.

Cheers and thanks for any guidance on this one :)
_________________
Gentoo Handbook | My website


Last edited by i92guboj on Sun Aug 23, 2020 8:54 am; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 557

PostPosted: Sat Aug 22, 2020 4:44 pm    Post subject: Reply with quote

I never manually set USE flags for shadow.
But today in 2 unstable systems I had "cracklib" --depcleaned.
It seems the latest versions of pam use
Code:

pam_passwdqc.so

rather than
Code:

pam_cracklib.so

to enforce password standards..
Also it seems stable "shadow" is built with both "pam" and "cracklib" whereas unstable only with "pam".
Unstable:
Code:

equ shadow
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for sys-apps/shadow-4.8.1-r3:
 U I
 + + acl      : Add support for Access Control Lists
 - - audit    : Enable support for Linux audit subsystem using sys-process/audit
 - - bcrypt   : build the bcrypt password encryption algorithm
 - - cracklib : Support for cracklib strong password checking
 + + nls      : Add Native Language Support (using gettext - GNU locale utilities)
 + + pam      : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
 - - skey     : Enable S/Key (Single use password) authentication support
 + + su       : build the su program
 + + xattr    : Add support for extended attributes (filesystem-stored metadata)


Stable:
Code:

equ shadow
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for sys-apps/shadow-4.8-r4:
 U I
 + + acl      : Add support for Access Control Lists
 - - audit    : Enable support for Linux audit subsystem using sys-process/audit
 - - bcrypt   : build the bcrypt password encryption algorithm
 + + cracklib : Support for cracklib strong password checking
 + + nls      : Add Native Language Support (using gettext - GNU locale utilities)
 + + pam      : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
 - - skey     : Enable S/Key (Single use password) authentication support
 + + su       : build the su program
 + + xattr    : Add support for extended attributes (filesystem-stored metadata)
lake / #



Same can be reflected in /etc/pam.d/system-auth
Unstable:
Code:

at /etc/pam.d/system-auth
auth      required   pam_env.so
auth      required   pam_unix.so try_first_pass likeauth nullok
auth      optional   pam_permit.so
auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth            sufficient      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
account      required   pam_unix.so
account      optional   pam_permit.so
account         required        pam_faillock.so
password   required   pam_passwdqc.so min=8,8,8,8,8 retry=3
password   required   pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password   optional   pam_permit.so
-session        optional        pam_elogind.so
session      required   pam_limits.so
session      required   pam_env.so
session      required   pam_unix.so
session      optional   pam_permit.so


Stable
Code:

cat /mnt/etc/pam.d/system-auth
auth      required   pam_env.so
auth      required   pam_unix.so try_first_pass likeauth nullok
auth      optional   pam_permit.so
account      required   pam_unix.so
account      optional   pam_permit.so
password   required   pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   required   pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password   optional   pam_permit.so
-session        optional        pam_elogind.so
session      required   pam_limits.so
session      required   pam_env.so
session      required   pam_unix.so
session      optional   pam_permit.so



:)
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 537
Location: South America

PostPosted: Sat Aug 22, 2020 9:05 pm    Post subject: Re: sys-apps/shadow blockage, pam or cracklib Reply with quote

i92guboj wrote:
Code:
!!! The ebuild selected to satisfy "sys-apps/shadow" has unmet requirements.
- sys-apps/shadow-4.8-r5::gentoo USE="cracklib nls pam (split-usr) su xattr -acl -audit -bcrypt (-selinux) -skey" ABI_X86="(64)"

  The following REQUIRED_USE flag constraints are unsatisfied:
    at-most-one-of ( cracklib pam )

According to the commit that introduced the constraint:
Quote:
sys-apps/shadow: Disable cracklib default

Built-in cracklib support is just an alternative to the stack installed by the sys-auth/pambase package.
If shadow is built with USE=pam, then it will prefer pam configuration files over cracklib, so cracklib is useless as an option.
The pam use flag is enabled in the linux profiles by default, which covers most use cases.
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10310
Location: Córdoba (Spain)

PostPosted: Sun Aug 23, 2020 8:54 am    Post subject: Reply with quote

Thank you.

That's what I was understanding as well from alamahant's post. So, now, the man in the middle takes care of everything and shadow doesn't need built in cracklib support.

Thank you both for the responses, they've been quite helpful.
_________________
Gentoo Handbook | My website
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum