DevHeads.net

Invoking "kcheckpass" from the terminal

Greetings,

I'm looking for help with debugging the kcheckpass program that is used for
validating passwords in the KDE screenlocker.

It seems to me that the best method for this would be to invoke "kcheckpass"
directly in the terminal under GDB so that its interaction with my system's
PAM module could be inspected.

The executable is available... "locate kcheckpass" leads me right to it.
However, after trying several invocations, I can't get the tool to behave as
expected (i.e., take a password on stdin and exit with 0/1 on success/
failure).

Is there someone available who can help me understand how to manually invoke
this program for debugging purposes?

Comments

Re: Invoking "kcheckpass" from the terminal

By Thiago Macieira at 08/09/2019 - 19:15

On Thursday, 8 August 2019 12:00:34 PDT Franklin, Jason wrote:
That's because the tool does not take the password on stdin.

$ /usr/lib64/libexec/kcheckpass
Only binary protocol supported

You need to pass a file descriptor number with the -S option.

kcheckpass.c also makes debugging difficult, by setting a bunch of options to
prevent unauthorised attaching to the process. You need to modify the source
to turn those off.

Re: Invoking "kcheckpass" from the terminal

By Franklin, Jason at 08/12/2019 - 09:20

On Fri, Aug 9, 2019 at 8:15 PM Thiago Macieira < ... at kde dot org> wrote:
This is what I discovered when trying it myself. This means that the
commentary in the code for kcheckpass is way out of sync with the actual
behavior of the tool.

I think this should be fixed, and I'd be willing to help.

I'm also curious, why doesn't the following work?

echo -n 'test' | /usr/lib64/libexec/kcheckpass -S 0

I get "Communication breakdown on write". Seems like passing to stdin with
file descriptor 0 should work.

I really appreciate your response and the tip you provided here. I'll
do my best to
investigate further.

However, I've noticed that this process is not well-documented at all.
The README
file included with kcheckpass isn't very helpful in guiding someone to debugging
the code. Also, installing a Debian dbgsym package doesn't seem to be
sufficient, as
you noted here.

I'd be very willing to help with this, but the package maintainers
haven't responded
to my query yet. I submitted the bug report below:

<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934185" title="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934185">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934185</a>

I'm still hoping to hear back!

Re: Invoking "kcheckpass" from the terminal

By Martin =?ISO-88... at 08/12/2019 - 14:42

Am 2019-08-12 16:20, schrieb Franklin, Jason:
I was probably the last one who touched the code and performed cleanups.
Kcheckpass is not meant to be used from a command line - I'm sorry,
that's just not the use case. We only use the binary protocol in
kscreenlocker and removed everything else. The implementation is in:
<a href="https://cgit.kde.org/kscreenlocker.git/tree/greeter/authenticator.cpp" title="https://cgit.kde.org/kscreenlocker.git/tree/greeter/authenticator.cpp">https://cgit.kde.org/kscreenlocker.git/tree/greeter/authenticator.cpp</a>

It's a pretty much stand alone class, so you can wrap this in an own
class to interact with it.

Cheers
Martin

Re: Invoking "kcheckpass" from the terminal

By Franklin, Jason at 08/12/2019 - 15:18

Martin,

Good to hear from you.

This is all fine. I can understand that most of this was done in the interest
of improving the security profile.

I do see, however, that much of the commentary in the code is out of sync
with the code's behavior. An example is here:

<a href="https://cgit.kde.org/kscreenlocker.git/tree/kcheckpass/kcheckpass.c" title="https://cgit.kde.org/kscreenlocker.git/tree/kcheckpass/kcheckpass.c">https://cgit.kde.org/kscreenlocker.git/tree/kcheckpass/kcheckpass.c</a>

The header in that file was quite confusing to me after looking at the
code and comparing. The same goes for other files under the
kcheckpass/ directory in the kscreenlocker repository.

I'd like to help with cleaning some of this up, but I'm a new contributor and
would need permission/guidance from someone involved.

Debugging this region in the code has proved to be quite difficult. Installing
the dbgsym package wasn't sufficient, and I've been trying to move forward in
another way for some time now.

When you say "wrap this in an own class", I'm afraid I don't follow.
It's probably
too much to ask for an example, but it would be a great help. Otherwise, I'll
keep plugging away!

I see also that test programs were added for kcheckpass at some point. Are these
still functional? If so, how could I compile and run them? See link:

<a href="https://cgit.kde.org/kscreenlocker.git/tree/tests/kcheckpass_test.cpp" title="https://cgit.kde.org/kscreenlocker.git/tree/tests/kcheckpass_test.cpp">https://cgit.kde.org/kscreenlocker.git/tree/tests/kcheckpass_test.cpp</a>

Ultimately, I'd like to give back by updating the README file for kcheckpass
with debugging instructions. That is, of course, if I end up making progress.

Best,
JF

On Mon, Aug 12, 2019 at 3:42 PM Martin Flöser < ... at kde dot org> wrote: