PAM Integration: Difference between revisions
mNo edit summary |
|||
Line 1: | Line 1: | ||
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable. | For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable. | ||
== Recipes with PAM support == | |||
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27: | The following recipes were identified to have PAM support (some already implemented) on 2011-06-27: | ||
Line 40: | Line 39: | ||
* In xserver-xf86-lite source code subdir os/utils checks #ifdef USE_PAM but there are no configure-time options for PAM. | * In xserver-xf86-lite source code subdir os/utils checks #ifdef USE_PAM but there are no configure-time options for PAM. | ||
== Identify upstream PAM patches to use == | |||
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file): | After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file): | ||
* libpam: need update from current 1.1.3 to 1.1.4 | * libpam: need update from current 1.1.3 to 1.1.4 | ||
Line 49: | Line 48: | ||
* openssh: check Fedora sshd.pam | * openssh: check Fedora sshd.pam | ||
== PAM Unit Tests== | |||
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code. | We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code. | ||
Revision as of 07:42, 4 July 2011
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.
Recipes with PAM support
The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:
- at
- consolekit
- cronie
- cups
- dropbear
- gnome-keyring
- mc
- openssh
- Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can supprot pam function through simple test.
- polkit
- screen
- shadow
- sudo
- util-linux
Note also:
- libcap: if pam exists, libcap will create a pam_cap.so to add a new front end for the authentication function. No package use pam_cap.so now, so remove it from list.
- libuser: pam is libuser's build dependency, so remove it too.
- The busybox box login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
- gettext has a example file use pam in source code, I think it is just a example and don't need care
- sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam , and it doesn't patched right now. And the package doesn't provide pam related configure option either.
- In xserver-xf86-lite source code subdir os/utils checks #ifdef USE_PAM but there are no configure-time options for PAM.
Identify upstream PAM patches to use
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file):
- libpam: need update from current 1.1.3 to 1.1.4
- screen: check Fedora screen.pam
- util-linux: check Fedora source file util-linux-remote.pamd
- at: check Fedora util-linux-remote.pamd
- cups: check Fedora cups-1.1.16-system-auth.patch
- openssh: check Fedora sshd.pam
PAM Unit Tests
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.
On build machine run
bitbake libpam -c patch
to get the libpam source code Linux-PAM-1.1.3, and scp it to host(target) machine.
On the target machine under Linux-PAM-1.1.3, run
./configure make xtests
will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)
./run-xtests.sh . tst-pam_time1
The results are as follows, and some debug information are given at same time.
- tst-pam_access1
- tst-pam_access2
- tst-pam_access3
- tst-pam_access4
- tst-pam_authsucceed
- test3: pam_authenticate returned 28
- tst-pam_cracklib1
- cracklib1-1: pam_chauthtok returned 28
- tst-pam_cracklib2
- cracklib2-1: pam_chauthtok returned 28
- tst-pam_dispatch1
- test1: pam_authenticate returned 28
- tst-pam_dispatch2
- test2: pam_authenticate returned 28
- tst-pam_dispatch3
- test3: pam_authenticate returned 28
- tst-pam_dispatch4
- pam_dispatch4: pam_authenticate returned 7
- tst-pam_pwhistory1
- tst-pam_substack2
- tst-pam_succeed_if1
- tst-pam_time1
- pam_time1: pam_acct_mgmt(xy) returned wrong value, 28, expected 0