I've been trying to compile PAM on a few older SLES 9 and SLES 10 systems, as well as upgrading the libraries on our older RedHat/CentOS 4 systems. Certain PAM modules do not compile, I'm assuming due to missing requirements. These include pam_cracklib, pam_keyinit, pam_namespace, pam_selinux, pam_sepermit, and pam_tty_audit. Looking through the make logs I see entries for "entering directory '/path/to/pam/...'" followed by "Nothing to be done for 'all'".
Looking through the config.log I was able to determine where a few of the requirement checks failed. I installed the latest cracklib source to fix the pam_cracklib requirements. Pam_keyinit was a bit trickier. I saw that configure was testing for definitions of __NR_keyctr and ENOKEY. On a RHEL 5 system I found these were defined in header files installed with the kernel-headers-2.6.18-128.el5 rpm. Looking at the source for pam_keyinit it appears that it only needed the values for these definitions, so I was able to trick the module into compiling by hardcoding the checks for these definitions to always pass, then manually adding "#define __NR_keyctl 250" (for x86_64 systems, 288 for i386 systems) and "#define ENOKEY 126" to the config.h generated by the configure script. Doing this is a bit worrying. Pam_keyinit may work properly after setting these values, but it may also fail causing at best an error when the module is accessed and at worse a security hole.
So the question is what are the requirements to get pam_keyinit, pam_namespace, pam_selinux & pam_sepermit, and pam_tty_audit to compile safely on older systems such as SLES 9 & 10 or RHEL/CentOS 4?
As a second side question my RHEL systems has a PAM module called pam_console that rpm -qf claims was installed as part of the pam library suite. No part of the compile process mentions pam_console. Is this module obsolete, RedHat specific, or part of some other pam bundle?
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list