[gentoo-user] A quick test of su

[gentoo-user] A quick test of su

[walt]

Can I trouble you folks to do this ten-second test and report your
results?

As an ordinary user, type 'su' at a bash prompt.  Now, where you
would normally type your root password, just type Ctrl-d instead.

What do you see? (I'm ruling out evil spirits here, so please bear
with me ;)

Thanks for your help.

Re: [gentoo-user] A quick test of su

[Allan Gottlieb]

At Mon, 18 Jan 2010 14:07:21 -0800 walt <w41ter@gmail.com> wrote:

> Can I trouble you folks to do this ten-second test and report your
> results?
>
> As an ordinary user, type 'su' at a bash prompt.  Now, where you
> would normally type your root password, just type Ctrl-d instead.
>
> What do you see? (I'm ruling out evil spirits here, so please bear
> with me ;)
>
> Thanks for your help.

Looks good here.
allan

gottlieb@allan ~ $ su
Password: 
su: Authentication information cannot be recovered
gottlieb@allan ~ $ 

Re: [gentoo-user] A quick test of su

[Zeerak Waseem]

On Mon, 18 Jan 2010 23:13:55 +0100, Allan Gottlieb <gottlieb@nyu.edu>  
wrote:

> At Mon, 18 Jan 2010 14:07:21 -0800 walt <w41ter@gmail.com> wrote:
>
>> Can I trouble you folks to do this ten-second test and report your
>> results?
>>
>> As an ordinary user, type 'su' at a bash prompt.  Now, where you
>> would normally type your root password, just type Ctrl-d instead.
>>
>> What do you see? (I'm ruling out evil spirits here, so please bear
>> with me ;)
>>
>> Thanks for your help.
>
> Looks good here.
> allan
>
> gottlieb@allan ~ $ su
> Password:
> su: Authentication information cannot be recovered
> gottlieb@allan ~ $
>

Same here :-)

zeerak@Zeerak /home/zeerak $ su
Password:
su: Authentication information cannot be recovered


-- 
Zeerak

Re: [gentoo-user] A quick test of su

[ubiquitous1980]

Zeerak Waseem wrote:
> On Mon, 18 Jan 2010 23:13:55 +0100, Allan Gottlieb <gottlieb@nyu.edu>
> wrote:
>
>> At Mon, 18 Jan 2010 14:07:21 -0800 walt <w41ter@gmail.com> wrote:
>>
>>> Can I trouble you folks to do this ten-second test and report your
>>> results?
>>>
>>> As an ordinary user, type 'su' at a bash prompt.  Now, where you
>>> would normally type your root password, just type Ctrl-d instead.
>>>
>>> What do you see? (I'm ruling out evil spirits here, so please bear
>>> with me ;)
>>>
>>> Thanks for your help.
>>
>> Looks good here.
>> allan
>>
>> gottlieb@allan ~ $ su
>> Password:
>> su: Authentication information cannot be recovered
>> gottlieb@allan ~ $
>>
>
> Same here :-)
>
> zeerak@Zeerak /home/zeerak $ su
> Password:
> su: Authentication information cannot be recovered
>
>
su: Authentication information cannot be recovered

Re: [gentoo-user] A quick test of su

[Stroller]

On 18 Jan 2010, at 22:13, Allan Gottlieb wrote:
> ...
> gottlieb@allan ~ $ su
> Password:
> su: Authentication information cannot be recovered
> gottlieb@allan ~ $

On my Linux boxes I get the same as everyone else.

My Mac apologises to me. :/

Stroller.
  

Re: [gentoo-user] A quick test of su

[Hilco Wijbenga]

2010/1/18 walt <w41ter@gmail.com>:
> Can I trouble you folks to do this ten-second test and report your
> results?
>
> As an ordinary user, type 'su' at a bash prompt.  Now, where you
> would normally type your root password, just type Ctrl-d instead.
>
> What do you see? (I'm ruling out evil spirits here, so please bear
> with me ;)

su: Authentication information cannot be recovered

> Thanks for your help.

What did I win? :-)

Re: [gentoo-user] A quick test of su

[John H. Moe]

Hilco Wijbenga wrote:
> 2010/1/18 walt <w41ter@gmail.com>:
>   
>> Can I trouble you folks to do this ten-second test and report your
>> results?
>>
>> As an ordinary user, type 'su' at a bash prompt.  Now, where you
>> would normally type your root password, just type Ctrl-d instead.
>>
>> What do you see? (I'm ruling out evil spirits here, so please bear
>> with me ;)
>>     
>
> su: Authentication information cannot be recovered
>
>   
>> Thanks for your help.
>>     
>
> What did I win? :-)
>   
Same result:

jmoe@aus9703 ~ $ su
Password:
su: Authentication information cannot be recovered

[gentoo-user] Re: A quick test of su

[walt]

On 01/18/2010 02:14 PM, Hilco Wijbenga wrote:
> 2010/1/18 walt<w41ter@gmail.com>:
>> Can I trouble you folks to do this ten-second test and report your
>> results?
>>
>> As an ordinary user, type 'su' at a bash prompt.  Now, where you
>> would normally type your root password, just type Ctrl-d instead.
>>
>> What do you see? (I'm ruling out evil spirits here, so please bear
>> with me ;)
>
> su: Authentication information cannot be recovered
>
>> Thanks for your help.
>
> What did I win? :-)

Congratulations, you just won my evil spirits.  Please come pick them
up ASAP, as they're getting hungry.

The evil spirits in my x86 and ~amd64 machines seem to be outvoted by
4:1 (so far).

Here is what I see on both machines:

$su
Password:         <===== I type Ctrl-d here
Segmentation fault

I've traced this problem to the pam_ssh package, which is supposed
to return a charstring containing the typed password, but it instead
returns a null pointer when I type Ctrl-d.  Calamity ensues.

I've filed a gentoo bug report that has generated only puzzlement so
far, and I guess your responses explain why.  I have evil spirits in
my two machines, and you don't.

Re: [gentoo-user] Re: A quick test of su

[Philip Webb]

100118 walt wrote:
> On 01/18/2010 02:14 PM, Hilco Wijbenga wrote:
>> 2010/1/18 walt<w41ter@gmail.com>:
>>> As an ordinary user, type 'su' at a bash prompt.  Now, where you
>>> would normally type your root password, just type Ctrl-d instead.
>> su: Authentication information cannot be recovered
> Here is what I see on both machines:
> $su
> Password:         <===== I type Ctrl-d here
> Segmentation fault

Different as always, what I get with Konsole Xterm Terminal(Xfce) is :

  499: ~> su
  Password: 500: ~>

When I need to do things as root, I always use a dedicated root terminal,
which I have running on Desktop 7 & for which I use the command (Fluxbox)
'terminal --geometry 178x52+0+0 --command su'.

Ah, I forgot: I have added to  ~/.bashrc  'IGNOREEOF=1 ; export IGNOREEOF',
which requires  2  ^d's to exit the terminal.  When I enter  2  ^d's
after the 'su' as above, I get

  501: ~> su
  Password: 502: ~> Use "exit" to leave the shell.
  502: ~>

HTH

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

[gentoo-user] Re: A quick test of su [SOLVED]

[walt]

On 01/18/2010 04:41 PM, walt wrote:

> Here is what I see on both machines:
>
> $su
> Password: <===== I type Ctrl-d here
> Segmentation fault
>
> I've traced this problem to the pam_ssh package, which is supposed
> to return a charstring containing the typed password, but it instead
> returns a null pointer when I type Ctrl-d. Calamity ensues.

The key here is the pam_ssh package, which apparently the rest of you
don't use for authentication.  I've added "auth sufficient pam_ssh.so"
to the pam system-auth file so I can ssh between local machines using
my ssh private key for authentication.

Thanks for testing.

[gentoo-user] Re: A quick test of su [SOLVED]

[Nikos Chantziaras]

On 01/19/2010 07:55 PM, walt wrote:
> On 01/18/2010 04:41 PM, walt wrote:
>
>> Here is what I see on both machines:
>>
>> $su
>> Password: <===== I type Ctrl-d here
>> Segmentation fault
>>
>> I've traced this problem to the pam_ssh package, which is supposed
>> to return a charstring containing the typed password, but it instead
>> returns a null pointer when I type Ctrl-d. Calamity ensues.
>
> The key here is the pam_ssh package, which apparently the rest of you
> don't use for authentication.

Just a quick question: what do you need PAM for?  No it's not a 
rhetorical question.  I always wondered what PAM is good for; to find 
out, I completely removed everything PAM related from my system ("-pam" 
in make.conf and then rebuild everything and then depclean.)  The system 
works exactly the same as before.  So I'm left wondering what PAM was 
doing in the first place?

Re: [gentoo-user] Re: A quick test of su [SOLVED]

[Alan McKinnon]

On Tuesday 19 January 2010 20:26:29 Nikos Chantziaras wrote:
> On 01/19/2010 07:55 PM, walt wrote:
> > On 01/18/2010 04:41 PM, walt wrote:
> >> Here is what I see on both machines:
> >>
> >> $su
> >> Password: <===== I type Ctrl-d here
> >> Segmentation fault
> >>
> >> I've traced this problem to the pam_ssh package, which is supposed
> >> to return a charstring containing the typed password, but it instead
> >> returns a null pointer when I type Ctrl-d. Calamity ensues.
> >
> > The key here is the pam_ssh package, which apparently the rest of you
> > don't use for authentication.
> 
> Just a quick question: what do you need PAM for?  No it's not a
> rhetorical question.  I always wondered what PAM is good for; to find
> out, I completely removed everything PAM related from my system ("-pam"
> in make.conf and then rebuild everything and then depclean.)  The system
> works exactly the same as before.  So I'm left wondering what PAM was
> doing in the first place?
> 

pam allows you to customize your authentication strategy, in a way somewhat 
similar to the windows model - load modules or whatever and a new auth scheme 
comes into play.

Without pam, you use the traditional unix authentication scheme for local 
login as done by (I think) login. Other auth-related packages run as root or 
suid root, use their own scheme to authenticate you then take appropriate 
action to give you what you want. sshd is a great example - with key-based 
auth it goes nowhere near your shadow entry yet still gives you a full-blown 
shell. This means that all auth packages must implement their own auth scheme, 
which can be problematic for the same reason that bundled zlib libraries are 
problematic - you don't always know they are there and if buggy represent a 
huge risk.

pam centralises that and gives an API that any package can link to for auth 
purposes. You have one set of auth libs in a known place that can be 
extensively audited for bugs, lack of. Plus pam is designed to be customizable 
so you the admin dictate how your auth works. If you need retina scanners, 
thumbprint readers, one-time passwords as well as shadow password to log in, 
then you configure pam to make it so (you will need drivers for those hardware 
scanners). Ridiculous example of course, but perfectly possible with pam.

Most distros ship a standard pam config that gives you exactly what unix-style 
auth and sshd did all along. So when you remove pam, you see no difference.

As an example, my Unix systems use short usernames and the company's AD uses 
firstname.surname for windows login names. We decided to force users to log 
onto the Cisco kit via a Linux gateway and to use the one-time-password gadget 
setup for the Juniper VPN as well. Users auth to the Linux gateways using ssh 
with an AD username, password and the token from the OTP fob and they 
miraculously get logged in to the Linux box with a *different* (short) 
username. That username is the same as the Cisco auth scheme (we can't change 
it due to limitations in the tacacs+ protocol). Without pam, this would have 
been exceptionally hard to do. So hard, that all of us refused to even begin, 
citing horrendous security risks. With pam, it was almost trivial - 20 lines 
of code.

So all the above is true but also a lot of marketing blurb. There are two 
downsides to pam:

The configuration is horrible and abstracted many more times than makes sense. 
You need to be very very careful that what you type is what you want. And 
coding authentication apps is very hard indeed, you need coders of very high 
skill to do it right.

The jury is still mostly out on whether pam achieved it's goals or not. Unix-
pam seems to mostly have got it right. Linux-pam is slapdash in comparison, no 
thanks to Red Hat's infamous pam_console.so. flameeyes is of the opinion that 
linux-pam should not really be suffered to live. I mostly agree with 
flameeyes. 

-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: A quick test of su [SOLVED]

[walt]

On 01/19/2010 10:26 AM, Nikos Chantziaras wrote:
> On 01/19/2010 07:55 PM, walt wrote:
>> On 01/18/2010 04:41 PM, walt wrote:
>>
>>> Here is what I see on both machines:
>>>
>>> $su
>>> Password: <===== I type Ctrl-d here
>>> Segmentation fault
>>>
>>> I've traced this problem to the pam_ssh package, which is supposed
>>> to return a charstring containing the typed password, but it instead
>>> returns a null pointer when I type Ctrl-d. Calamity ensues.
>>
>> The key here is the pam_ssh package, which apparently the rest of you
>> don't use for authentication.
>
> Just a quick question: what do you need PAM for? No it's not a rhetorical question. I always wondered what PAM is good for; to find out, I completely removed everything PAM related from my system ("-pam" in make.conf and then rebuild everything and then
> depclean.) The system works exactly the same as before. So I'm left wondering what PAM was doing in the first place?

I'm no expert on PAM, but I've seen it used on every linux distribution
that I've tried over the years.  In the case I just described, I used it
so I can identify myself with my ssh key, which is much more secure than
a password.  So, in general, pam is used to set security policy for how
users can log in, change their passwords, etc.  I'm not sure how I would
have added ssh key authentication without pam.  It's a good question.

Re: [gentoo-user] Re: A quick test of su [SOLVED]

[Stroller]

On 20 Jan 2010, at 21:39, walt wrote:
> ... In the case I just described, I used it so I can identify myself  
> with my ssh key, which is much more secure than a password. ... I'm  
> not sure how I would have added ssh key authentication without pam.

I'm pretty sure it's possible, although I haven't checked how it's  
working here.

Stroller.

[gentoo-user] Re: A quick test of su [SOLVED]

[Nikos Chantziaras]

On 01/20/2010 11:39 PM, walt wrote:
> On 01/19/2010 10:26 AM, Nikos Chantziaras wrote:
>> On 01/19/2010 07:55 PM, walt wrote:
>>> On 01/18/2010 04:41 PM, walt wrote:
>>>
>>>> Here is what I see on both machines:
>>>>
>>>> $su
>>>> Password: <===== I type Ctrl-d here
>>>> Segmentation fault
>>>>
>>>> I've traced this problem to the pam_ssh package, which is supposed
>>>> to return a charstring containing the typed password, but it instead
>>>> returns a null pointer when I type Ctrl-d. Calamity ensues.
>>>
>>> The key here is the pam_ssh package, which apparently the rest of you
>>> don't use for authentication.
>>
>> Just a quick question: what do you need PAM for? No it's not a
>> rhetorical question. I always wondered what PAM is good for; to find
>> out, I completely removed everything PAM related from my system
>> ("-pam" in make.conf and then rebuild everything and then
>> depclean.) The system works exactly the same as before. So I'm left
>> wondering what PAM was doing in the first place?
>
> I'm no expert on PAM, but I've seen it used on every linux distribution
> that I've tried over the years. In the case I just described, I used it
> so I can identify myself with my ssh key, which is much more secure than
> a password. So, in general, pam is used to set security policy for how
> users can log in, change their passwords, etc. I'm not sure how I would
> have added ssh key authentication without pam. It's a good question.

Well, all of this is still working here without PAM, including keys 
(I've set that option in the config file of the ssh deamon, not PAM.)

Re: [gentoo-user] Re: A quick test of su [SOLVED]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 957 bytes --]

On Thu, 21 Jan 2010 16:06:34 +0200, Nikos Chantziaras wrote:

> > I'm no expert on PAM, but I've seen it used on every linux
> > distribution that I've tried over the years. In the case I just
> > described, I used it so I can identify myself with my ssh key, which
> > is much more secure than a password. So, in general, pam is used to
> > set security policy for how users can log in, change their passwords,
> > etc. I'm not sure how I would have added ssh key authentication
> > without pam. It's a good question.  
> 
> Well, all of this is still working here without PAM, including keys 
> (I've set that option in the config file of the ssh deamon, not PAM.)

I read this that walt is using SSH keys ( on a USB stick?) for local
login, which would be best done with PAM. SSH login with keys is handled
by SSH itself.

Can you confirm walt?


-- 
Neil Bothwick

Therapy is expensive, popping bubble wrap is cheap! You choose.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: A quick test of su [SOLVED]

[Nikos Chantziaras]

On 01/21/2010 06:09 PM, Neil Bothwick wrote:
> On Thu, 21 Jan 2010 16:06:34 +0200, Nikos Chantziaras wrote:
>
>>> I'm no expert on PAM, but I've seen it used on every linux
>>> distribution that I've tried over the years. In the case I just
>>> described, I used it so I can identify myself with my ssh key, which
>>> is much more secure than a password. So, in general, pam is used to
>>> set security policy for how users can log in, change their passwords,
>>> etc. I'm not sure how I would have added ssh key authentication
>>> without pam. It's a good question.
>>
>> Well, all of this is still working here without PAM, including keys
>> (I've set that option in the config file of the ssh deamon, not PAM.)
>
> I read this that walt is using SSH keys ( on a USB stick?) for local
> login, which would be best done with PAM. SSH login with keys is handled
> by SSH itself.

Oh, don't know if it's possible on local login.  Anyway, I was just 
curious.  PAM and ConsoleKit were two things that got installed by 
default (desktop profile) and I couldn't even find a use for them, so I 
removed both and didn't see any difference, so I was just wondering what 
they were good for in the first place :P

Re: [gentoo-user] Re: A quick test of su [SOLVED]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 564 bytes --]

On Thu, 21 Jan 2010 19:12:50 +0200, Nikos Chantziaras wrote:

> Oh, don't know if it's possible on local login.  Anyway, I was just 
> curious.  PAM and ConsoleKit were two things that got installed by 
> default (desktop profile) and I couldn't even find a use for them, so I 
> removed both and didn't see any difference, so I was just wondering
> what they were good for in the first place :P

I run with USE=-pam but I know it can be used for things like keyfile
based logins.


-- 
Neil Bothwick

My Go this  amn keyboar  oesn't have any  's.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: A quick test of su [SOLVED]

[walt]

On 01/21/2010 08:09 AM, Neil Bothwick wrote:
> On Thu, 21 Jan 2010 16:06:34 +0200, Nikos Chantziaras wrote:
>
>>> I'm no expert on PAM, but I've seen it used on every linux
>>> distribution that I've tried over the years. In the case I just
>>> described, I used it so I can identify myself with my ssh key, which
>>> is much more secure than a password. So, in general, pam is used to
>>> set security policy for how users can log in, change their passwords,
>>> etc. I'm not sure how I would have added ssh key authentication
>>> without pam. It's a good question.
>>
>> Well, all of this is still working here without PAM, including keys
>> (I've set that option in the config file of the ssh deamon, not PAM.)
>
> I read this that walt is using SSH keys ( on a USB stick?) for local
> login, which would be best done with PAM. SSH login with keys is handled
> by SSH itself.
>
> Can you confirm walt?

I'm using it to ssh between the machines on my local network, where I
have the same ssh key on each machine.  I don't have any need to login
elsewhere by carrying the key on a USB stick -- I wish the machines at
work would let me do that, but they don't.

Re: [gentoo-user] Re: A quick test of su [SOLVED]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

On Fri, 22 Jan 2010 07:22:50 -0800, walt wrote:

> > I read this that walt is using SSH keys ( on a USB stick?) for local
> > login, which would be best done with PAM. SSH login with keys is
> > handled by SSH itself.
> >
> > Can you confirm walt?  
> 
> I'm using it to ssh between the machines on my local network, where I
> have the same ssh key on each machine.  I don't have any need to login
> elsewhere by carrying the key on a USB stick -- I wish the machines at
> work would let me do that, but they don't.

In that case you don't need PAM. SSH handles key-based logins internally.


-- 
Neil Bothwick

GOTO: (n.) an efficient and general way of controlling a program, much
despised by academics and others whose brains have been ruined by
overexposure to Pascal.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A quick test of su

[Alan McKinnon]

On Tuesday 19 January 2010 00:07:21 walt wrote:
> Can I trouble you folks to do this ten-second test and report your
> results?
> 
> As an ordinary user, type 'su' at a bash prompt.  Now, where you
> would normally type your root password, just type Ctrl-d instead.
> 
> What do you see? (I'm ruling out evil spirits here, so please bear
> with me ;)
> 
> Thanks for your help.
> 


$ su
Password:
su: Authentication information cannot be recovered

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] A quick test of su

[Dale]

walt wrote:
> Can I trouble you folks to do this ten-second test and report your
> results?
>
> As an ordinary user, type 'su' at a bash prompt.  Now, where you
> would normally type your root password, just type Ctrl-d instead.
>
> What do you see? (I'm ruling out evil spirits here, so please bear
> with me ;)
>
> Thanks for your help.
>

Being my sometimes helpful self.  lol 

Password:
su: Authentication information cannot be recovered


That normal I guess?

Dale

:-)  :-) 

Re: [gentoo-user] A quick test of su

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 359 bytes --]

On Mon, 18 Jan 2010 18:18:16 -0600, Dale wrote:

> Being my sometimes helpful self.  lol 
> 
> Password:
> su: Authentication information cannot be recovered
> 
> 
> That normal I guess?

Then I'm not! I get

$ su
Password: su: Authentication failure


-- 
Neil Bothwick

Someone who thinks logically is a nice contrast to the real world.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] A quick test of su

[Dale]

Neil Bothwick wrote:
> On Mon, 18 Jan 2010 18:18:16 -0600, Dale wrote:
>
>   
>> Being my sometimes helpful self.  lol 
>>
>> Password:
>> su: Authentication information cannot be recovered
>>
>>
>> That normal I guess?
>>     
>
> Then I'm not! I get
>
> $ su
> Password: su: Authentication failure
>
>   

I'm not normal so I should have got that message.  lol 

Dale

:-)  :-) 

Re: [gentoo-user] A quick test of su

[pk]

Neil Bothwick wrote:
> On Mon, 18 Jan 2010 18:18:16 -0600, Dale wrote:
> 
>> Being my sometimes helpful self.  lol 
>>
>> Password:
>> su: Authentication information cannot be recovered
>>
>>
>> That normal I guess?
> 
> Then I'm not! I get
> 
> $ su
> Password: su: Authentication failure

Evil spirits? I get the "...cannot be recovered" message...

Best regards

Peter K, abnormal?