[scponly] changing passwords remotely over scponly .. what am I doing wrong ?

Ensel Sharon user at dhp.com
Tue Mar 7 14:52:23 EST 2006 

Hello,

On Tue, 7 Mar 2006, Kaleb Pederson wrote:

> Ok, there are a couple of things that are bothering me here.  Apparently
> we need to add an additional line or two of debug output to the source.
> 
> So, the passwd program is found correctly and is executed, but we don't
> ever see it return (which I would like to see in debug output).  So, I
> can only assume that it executes correctly, and then dies.
> 
> One problem, you cannot change a password outside of a chroot if you are
> chrooted.  Thus, unless you setup some sort of sync between the password
> and shadow files in the chroot and those outside of the chroot, you
> won't be able to change the password as you expect. Also, are you sure
> that all the necessary dependencies were correctly installed?  Does ldd
> show that everything is resolved?


# ldd /usr/bin/passwd
/usr/bin/passwd:
        libpam.so.3 => /usr/lib/libpam.so.3 (0x45104000)
        libc.so.6 => /lib/libc.so.6 (0x4510b000)
#


And both of those libraries are in the chroot.  Also, I see the complaint
about the missing library on the _client side_ if there is one missing,
which is how I knew to add libpam to the chroot.

So I am all set for deps.


> The only way that I know to get around that, that I know of, is to
> change the password before chrooting.  I created a patch that did this
> and submitted it quite a while ago.  It has not yet made it into the
> source, so I don't believe you will be able to do what you want while
> using a chrooted binary.


Can you please point me to your patch ?  I know I am taking up a fair
amount of your time, and I appreciate your help - could you comment, at
least briefly, on the (security) ramifications of using your patch ?  Can
anyone else ?

Basically I plan on using your patch immediately, becuase I need this
functionality, but I don't want to go shooting myself in the foot with it
either.  Do _you_ use it in production ?


> I think that the --enable-passwd-compat flag and the
> --enable-chrooted-binary flags need to be mutually exclusive, pending
> the approval of the patch that I submitted a while ago.
> 
> I'll talk to Joe and others on the list about it and see if we can't get
> it approved.  Joe? Others?


Ok, understood - so presumably I am doing everything right, I just need
your patch ?

Thanks a lot.

More information about the scponly mailing list