PAM Integration

From Yocto Project
Jump to navigationJump to search

For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

Recipes with PAM support

The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:

  • at
  • consolekit
  • cronie
  • cups
  • dropbear
  • For supporting pam in dropbear, we need two steps:
    • Add configuration "--enable-pam"
    • Add patches to enable pam codes in dropbear
    • Test result
      • Server
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
account  required     pam_access.so
$vi /etc/security/access.conf
- : root : ALL
      • Costumer
$ssh root@192.168.7.2
root@192.168.7.2's password: 
Permission denied, please try again.
root@192.168.7.2's password: 
Permission denied, please try again.
root@192.168.7.2's password: 
Permission denied (publickey,password).
  • gnome-keyring
  • openssh
    • Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can supprot pam function through simple test.
    • Test Result
      • Server
$touch /etc/nologin
      • Customer
$ssh username@server-ip
(can't log in)
  • polkit
  • screen
  • shadow
  • sudo
  • util-linux
  • xserver-xf86-lite

Notes:

  • mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. Official change log
  • libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
  • libuser: pam is libuser's build dependency, so remove it too.
  • The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
  • gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
  • sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.

Identify upstream PAM patches to use

After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):

  • libpam: need update from current 1.1.3 to 1.1.4 Release Notes
  • sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
    • /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
 #%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
  • screen: check Fedora screen.pam
  • util-linux: check Fedora source file util-linux-remote.pamd
  • at: check Fedora util-linux-remote.pamd
  • cups: check Fedora cups-1.1.16-system-auth.patch
  • openssh: check Fedora sshd.pam

PAM Unit Tests

We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code.

On build machine run

 bitbake libpam -c patch

to get the libpam source code Linux-PAM-1.1.4, and scp it to host(target) machine.

On the target machine under Linux-PAM-1.1.4, run

 ./configure
 make xtests

will get the test result of 28 unit test case. If you want to run sigle test case, go to subdirectory xtests and run (take tst-pam_time1 for example)

 ./run-xtests.sh . tst-pam_time1

Some unit test can NOT pass(15/28), they need some pam plugin libraies:

  • tst-pam_access1
  • tst-pam_access2
  • tst-pam_access3
  • tst-pam_access4
    • the tst-pam_access test cases need pam_access.so, install package pam-plugin-access will make them pass the test
  • tst-pam_authsucceed
    • need pam_debug.so, install pam-plugin-debug to make it pass
  • tst-pam_cracklib1
  • tst-pam_cracklib2
    • need /lib/security/pam_cracklib.so, need build cracklib, and then libpam will check it and create pam-plugin-cracklib
    • need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
   create-cracklib-dict /usr/share/cracklib/cracklib-small
  • tst-pam_dispatch1
  • tst-pam_dispatch2
  • tst-pam_dispatch3
  • tst-pam_dispatch4
    • need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass
  • tst-pam_pwhistory1
    • need /lib/security/pam_pwhistory.so, install pam-plugin-pwhistory to make it pass
  • tst-pam_substack2
    • need pam_debug.so, install pam-plugin-debug to make tst-pam_dispatch pass
  • tst-pam_succeed_if1
    • install pam-plugin-succeed-if to make it pass
  • tst-pam_time1
    • install pam-plugin-time to make it pass