set_tcb

Section: set_tcb wrapper (8)
Updated:
Page Index

NAME

set_tcb - Wrapper script to convert between shadow and tcb passwords

OVERVIEW

The tcb package is an alternative to the traditional shadow password scheme, developed by the Openwall Project. It provides the tools tcb_convert(8) and tcb_unconvert(8) which converts the actual password files between the /etc/shadow format and the /etc/tcb format. These tools do not change other required files, such as PAM files, login.defs, or nsswitch.conf(5). set_tcb(8) makes those changes as well as calling the required tcb conversion tool.

COMMANDS

set_tcb comes with some very basic options:

--tcb: Converts from shadow passwords to tcb passwords, by modifying /etc/login.defs, /etc/nsswitch.conf, and /etc/pam.d/system-auth.
--shadow: Converts from tcb passwords to shadow passwords, by modifying /etc/login.defs, /etc/nsswitch.conf, and /etc/pam.d/system-auth.
--hash: Configures the system to use the specified password hash. Available choices are 'md5', /etc/login.defs and /etc/pam.d/system-auth. set_tcb does not support using DES crypt passwords.
--migrate: Configures the system to use pam_tcb instead of pam_unix. Although pam_tcb operates well enough when called as pam_unix, a number of features are not supported until they are specified in /etc/pam.d/system-auth, such as selection of password hash. This option will replace calls to pam_unix with calls to pam_tcb and add the supported options. It will also enable blowfish passwords by default. Finally, it will add TCB/CRYPT-related keywords to /etc/login.defs if required and comment out the PASS_MIN_LEN option which TCB does not use/understand.
--revert: In the unlikely event you wish to revert from using pam_tcb to the original pam_unix, you can do so with this switch. It will replace all calls to pam_tcb with original options to pam_unix. As a result, you will be unable to use alternate password hashes such as blowfish because pam_unix does not understand them, although it will authenticate against alternate password hashes. New passwords will be in the traditional md5 format. It will also uncomment the PASS_MIN_LEN option and comment the USE_TCB option.
--nis: Configures /etc/pam.d/system-auth to support authentication against NIS. Because NIS passwords are not shadow passwords (functionally equivalent to using /etc/passwd rather than /etc/shadow to store passwords), pam_tcb must be told to also look at passwd as a source of passwords instead of just shadow (or tcb). If you are using NIS+ you may also have to manually modifiy system-auth and add the "nisplus" option (see pam_tcb(8) for more details).

When set_tcb converts a password type, it will automatically remove the old password format. For instance, when converting to tcb, it will remove /etc/shadow upon successful completion.

EXIT STATUS

set_tcb exits with exit status 1 on any failures. No files are replaced on failure. set_tcb exits with exit status 0 on successful conversion.

AUTHORS

The set_tcb script was written by Vincent Danen <vdanen@annvix.org> for Annvix (http://annvix.org/).

The tcb suite is developed by the Openwall Project (http://www.openwall.com/tcb/)