[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry]

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 package/busybox/Config.in  |   11 +++++++++++
 package/busybox/busybox.mk |   12 ++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index dedcf18..2a9cbf1 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -62,6 +62,17 @@ config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	  Install the watchdog daemon startup script,
 	  that just start at the boot the busybox watchdog daemon.
 
+config BR2_PACKAGE_BUSYBOX_PAM
+	bool "Enable PAM support in Busybox"
+	default n
+	depends on BR2_PACKAGE_LINUX_PAM
+	help
+	  If this item is selected, Busybox login will use the PAM stack
+	  for local logins. Local logins with null password are allowed
+	  for users with records in /etc/passwd ("default" and "root").
+	  The default PAM configuration file requires user accounts with
+	  nonzero length passwords.
+
 if BR2_PACKAGE_BUSYBOX_WATCHDOG
 
 config BR2_PACKAGE_BUSYBOX_WATCHDOG_PERIOD
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 33f8633..21942c6 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -164,6 +164,17 @@ define BUSYBOX_INSTALL_WATCHDOG_SCRIPT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_PAM),y)
+BUSYBOX_DEPENDENCIES += linux-pam
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+else
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_DISABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 # We do this here to avoid busting a modified .config in configure
 BUSYBOX_POST_EXTRACT_HOOKS += BUSYBOX_COPY_CONFIG
 
@@ -179,6 +190,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_DISABLE_MMU_APPLETS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_ENABLE_PAM)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
-- 
1.7.2.5

[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package

[Dmitry]

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 package/linux-pam/default      |    8 ++++++++
 package/linux-pam/linux-pam.mk |    7 +++++++
 package/linux-pam/login        |    9 +++++++++
 3 files changed, 24 insertions(+), 0 deletions(-)
 create mode 100644 package/linux-pam/default
 create mode 100644 package/linux-pam/login

diff --git a/package/linux-pam/default b/package/linux-pam/default
new file mode 100644
index 0000000..0bd5ba0
--- /dev/null
+++ b/package/linux-pam/default
@@ -0,0 +1,8 @@
+#
+# default; standard UN*X access
+#
+auth     required       pam_unix.so
+account  required       pam_unix.so
+password required       pam_unix.so
+session  required       pam_unix.so
+
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 48cb073..2807bc1 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -24,4 +24,11 @@ ifeq ($(BR2_PACKAGE_LIBINTL),y)
 	LINUX_PAM_MAKE_OPT += LIBS=-lintl
 endif
 
+define LINUX_PAM_CONFFILES
+	$(INSTALL) -D -m 0644 package/linux-pam/default $(TARGET_DIR)/etc/pam.d/default
+	$(INSTALL) -D -m 0644 package/linux-pam/login $(TARGET_DIR)/etc/pam.d/login
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFFILES
+
 $(eval $(autotools-package))
diff --git a/package/linux-pam/login b/package/linux-pam/login
new file mode 100644
index 0000000..d65a9d4
--- /dev/null
+++ b/package/linux-pam/login
@@ -0,0 +1,9 @@
+#
+# login: allow local logins to users with entries in /etc/passwd and
+# /etc/shadow even with null password
+#
+auth      required       pam_unix.so nullok
+account   required       pam_unix.so nullok
+password  required       pam_unix.so nullok
+session   required       pam_unix.so nullok
+
-- 
1.7.2.5

[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package

[Yann E. MORIN]

Dmitry, All,

On Tuesday 04 September 2012 05:28:42 Dmitry wrote:
> Signed-off-by: Dmitry <golubovsky@gmail.com>
> ---
>  package/linux-pam/default      |    8 ++++++++
>  package/linux-pam/linux-pam.mk |    7 +++++++
>  package/linux-pam/login        |    9 +++++++++

I think that this patch, which adds the default files, should come
_before_ the busybox patch. If only the busybox patch were to be
applied, then PAM would not be useable as it would lack those files.

In the current order, iIt would also break 'bisectability'.

>  3 files changed, 24 insertions(+), 0 deletions(-)
>  create mode 100644 package/linux-pam/default
>  create mode 100644 package/linux-pam/login
> 
> diff --git a/package/linux-pam/default b/package/linux-pam/default
> new file mode 100644
> index 0000000..0bd5ba0
> --- /dev/null
> +++ b/package/linux-pam/default
> @@ -0,0 +1,8 @@
> +#
> +# default; standard UN*X access
> +#
> +auth     required       pam_unix.so
> +account  required       pam_unix.so
> +password required       pam_unix.so
> +session  required       pam_unix.so
> +

I am not a PAM expert, so I can't say whether these settings are correct,
enough, or whatever. I'd trust close to anybody on this subject. ;-)

> diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
> index 48cb073..2807bc1 100644
> --- a/package/linux-pam/linux-pam.mk
> +++ b/package/linux-pam/linux-pam.mk
> @@ -24,4 +24,11 @@ ifeq ($(BR2_PACKAGE_LIBINTL),y)
>  	LINUX_PAM_MAKE_OPT += LIBS=-lintl
>  endif
>  
> +define LINUX_PAM_CONFFILES
> +	$(INSTALL) -D -m 0644 package/linux-pam/default $(TARGET_DIR)/etc/pam.d/default
> +	$(INSTALL) -D -m 0644 package/linux-pam/login $(TARGET_DIR)/etc/pam.d/login

I'd use:
    $(INSTALL) -D -m 0644 $(@D)/default $(TARGET_DIR)/etc/pam.d/default

Also, shouldn't these files get special permission (ie. redable only by
root, or stuff like that)? If so, then use:
  LINUX_PAM_PERMISSIONS = .....

> +endef
> +
> +LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFFILES
> +
>  $(eval $(autotools-package))
> diff --git a/package/linux-pam/login b/package/linux-pam/login
> new file mode 100644
> index 0000000..d65a9d4
> --- /dev/null
> +++ b/package/linux-pam/login
> @@ -0,0 +1,9 @@
> +#
> +# login: allow local logins to users with entries in /etc/passwd and
> +# /etc/shadow even with null password
> +#
> +auth      required       pam_unix.so nullok
> +account   required       pam_unix.so nullok
> +password  required       pam_unix.so nullok
> +session   required       pam_unix.so nullok

Ditto, I'm not a PAM expert...

Although I doubt I'd like a system where null passwords are OK... :-/
At the risk of adding to the option maze, I'd suggest at least adding
a config knob to enable that. For example:

  config BR2_PACKAGE_LINUX_PAM_NULL_PASSWD_OK
      bool "Allow null passwords"
      help
        Allow local logins to users with entries in /etc/passwd
        and /etc/shadow even with null password.

And only add the "nullok" if that option is set.

If that's not OK to add such an option, then I'd say we should remove the
"nullok" stuff, and leave it to a local post-build script that tweaks this
file if the user really wants to allow local null-password logins.

IMNSHO, the defaut should be a secure system.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package

[Dmitry Golubovsky]

Yann,

Thanks for your comments. Replies below.

On Tue, Sep 4, 2012 at 1:02 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:

>> ---
>>  package/linux-pam/default      |    8 ++++++++
>>  package/linux-pam/linux-pam.mk |    7 +++++++
>>  package/linux-pam/login        |    9 +++++++++
>
> I think that this patch, which adds the default files, should come
> _before_ the busybox patch. If only the busybox patch were to be
> applied, then PAM would not be useable as it would lack those files.
>
> In the current order, iIt would also break 'bisectability'.

This patch was a "reasonable compromise" to have a somewhat working
system emulating PAM-less behavior when PAM is enabled in login and no
proper PAM configs are provided.
I think that in a real project, a post-build filesystem fix should
replace these files with something more sensible (like mine does).
Regarding ordering, I'll try to switch the order.

>> +#
>> +# default; standard UN*X access
>> +#
>> +auth     required       pam_unix.so
>> +account  required       pam_unix.so
>> +password required       pam_unix.so
>> +session  required       pam_unix.so
>> +
>
> I am not a PAM expert, so I can't say whether these settings are correct,
> enough, or whatever. I'd trust close to anybody on this subject. ;-)

This is an example from PAM documentation: in all entries standard
Unix files (passwd/shadow) are checked, and null passwords are not
allowed.

>> +define LINUX_PAM_CONFFILES
>> +     $(INSTALL) -D -m 0644 package/linux-pam/default $(TARGET_DIR)/etc/pam.d/default
>> +     $(INSTALL) -D -m 0644 package/linux-pam/login $(TARGET_DIR)/etc/pam.d/login
>
> I'd use:
>     $(INSTALL) -D -m 0644 $(@D)/default $(TARGET_DIR)/etc/pam.d/default

But $(@D) is the build directory, while the files are part of
Buildroot package rather than PAM itself. $(@D) is to my understanding
output/build/linux-pam-x.y.z

>
> Also, shouldn't these files get special permission (ie. redable only by
> root, or stuff like that)? If so, then use:
>   LINUX_PAM_PERMISSIONS = .....

Not sure if that's needed: they do not have anything secret, just
nobody other than root can change them.

>> +# login: allow local logins to users with entries in /etc/passwd and
>> +# /etc/shadow even with null password
>> +#
>> +auth      required       pam_unix.so nullok
>> +account   required       pam_unix.so nullok
>> +password  required       pam_unix.so nullok
>> +session   required       pam_unix.so nullok
>
> Ditto, I'm not a PAM expert...

Neither am I... Just porting.

>
> Although I doubt I'd like a system where null passwords are OK... :-/

PAM-less mode allows this: the above config applies to local logins
only via busybox login.

> At the risk of adding to the option maze, I'd suggest at least adding
> a config knob to enable that. For example:
>
>   config BR2_PACKAGE_LINUX_PAM_NULL_PASSWD_OK
>       bool "Allow null passwords"
>       help
>         Allow local logins to users with entries in /etc/passwd
>         and /etc/shadow even with null password.
>
> And only add the "nullok" if that option is set.

I'm afraid this is too much. And it should be provided for the
PAM-less config as well.

One who wants to use PAM will likely design a proper authentication
scheme and provide their own better PAM configs.

>
> If that's not OK to add such an option, then I'd say we should remove the
> "nullok" stuff, and leave it to a local post-build script that tweaks this
> file if the user really wants to allow local null-password logins.
>
> IMNSHO, the defaut should be a secure system.

But it is not by default: root can login w/o password

http://git.buildroot.net/buildroot/tree/fs/skeleton/etc/shadow

this is /etc/shadow from buildroot git which is installed by default:
am I correct?

Thanks.

-- 
Dmitry Golubovsky

Anywhere on the Web

[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package

[Yann E. MORIN]

Dmitry, All,

On Tuesday 04 September 2012 19:33:08 Dmitry Golubovsky wrote:
> On Tue, Sep 4, 2012 at 1:02 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> > I think that this patch, which adds the default files, should come
> > _before_ the busybox patch. If only the busybox patch were to be
> > applied, then PAM would not be useable as it would lack those files.
> >
> > In the current order, iIt would also break 'bisectability'.
> 
> This patch was a "reasonable compromise" to have a somewhat working
> system emulating PAM-less behavior when PAM is enabled in login and no
> proper PAM configs are provided.
> I think that in a real project, a post-build filesystem fix should
> replace these files with something more sensible (like mine does).

Ah, OK I get it. With these two files, even if no PAM configuration is
provided by other means, it would behave as if PAM was not enabled. Right?

> Regarding ordering, I'll try to switch the order.

Yes, because without this patch, if linux-pam is enabled, and PAM is
enabled in busybox (which is possible with the previous patch), what
would be the behaviour?

I guess that, without its config files, PAM would not allow anything,
right?

If so, then the default files should come _before_ they are required.

> >> +#
> >> +# default; standard UN*X access
> >> +#
> >> +auth     required       pam_unix.so
> >> +account  required       pam_unix.so
> >> +password required       pam_unix.so
> >> +session  required       pam_unix.so
> >> +
> >
> > I am not a PAM expert, so I can't say whether these settings are correct,
> > enough, or whatever. I'd trust close to anybody on this subject. ;-)
> 
> This is an example from PAM documentation:

OK, good! :-)

> >> +define LINUX_PAM_CONFFILES
> >> +     $(INSTALL) -D -m 0644 package/linux-pam/default $(TARGET_DIR)/etc/pam.d/default
> >> +     $(INSTALL) -D -m 0644 package/linux-pam/login $(TARGET_DIR)/etc/pam.d/login
> >
> > I'd use:
> >     $(INSTALL) -D -m 0644 $(@D)/default $(TARGET_DIR)/etc/pam.d/default
> 
> But $(@D) is the build directory, while the files are part of
> Buildroot package rather than PAM itself. $(@D) is to my understanding
> output/build/linux-pam-x.y.z

Gah, my bad...
This morning's cafeine dose is no longer having any effect... :-(

> > Also, shouldn't these files get special permission (ie. redable only by
> > root, or stuff like that)? If so, then use:
> >   LINUX_PAM_PERMISSIONS = .....
> 
> Not sure if that's needed: they do not have anything secret, just
> nobody other than root can change them.

OK, I just checked on my distro, and indeed there're world-readable.
/etc/shadow is not, however, and that was what I probably was thinking
about (damn lack of cafeine is kicking again...)

> > At the risk of adding to the option maze, I'd suggest at least adding
> > a config knob to enable that. For example:
[--SNIP--]
> I'm afraid this is too much. And it should be provided for the
> PAM-less config as well.

Yep.

> One who wants to use PAM will likely design a proper authentication
> scheme and provide their own better PAM configs.

Granted.

> > IMNSHO, the defaut should be a secure system.
> But it is not by default: root can login w/o password

Yep again, indeed.

If you resubmit with the ordering reversed, you can add my:
    Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
for this patch (I'll review the other later).

Thanks for bearing with me. ;-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 2/2] Provide PAM default configuration files when building linux-pam package

[Dmitry Golubovsky]

Yann,

On Tue, Sep 4, 2012 at 1:52 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:

>> This patch was a "reasonable compromise" to have a somewhat working
>> system emulating PAM-less behavior when PAM is enabled in login and no
>> proper PAM configs are provided.
>> I think that in a real project, a post-build filesystem fix should
>> replace these files with something more sensible (like mine does).
>
> Ah, OK I get it. With these two files, even if no PAM configuration is
> provided by other means, it would behave as if PAM was not enabled. Right?

Correct: local logins via busybox login (or whatever calls pam_start
with "login" as program name) will be possible for "default" and
"root" (but not any other config) even if /etc/shadow has null
passwords. At least in my tests it worked so.

> I guess that, without its config files, PAM would not allow anything,
> right?

Correct.

>
> If so, then the default files should come _before_ they are required.
>

Yes, this is reasonable.

>
> Thanks for bearing with me. ;-)
>

That's fine: thanks for your comments.

I'll see if there are any more comments on these patches and will try
to reorder and resubmit them later tonight.

-- 
Dmitry Golubovsky

Anywhere on the Web

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Yann E. MORIN]

Dmitry, All,

On Tuesday 04 September 2012 05:28:41 Dmitry wrote:
> Signed-off-by: Dmitry <golubovsky@gmail.com>
> ---
>  package/busybox/Config.in  |   11 +++++++++++
>  package/busybox/busybox.mk |   12 ++++++++++++
>  2 files changed, 23 insertions(+), 0 deletions(-)
> 
> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
> index dedcf18..2a9cbf1 100644
> --- a/package/busybox/Config.in
> +++ b/package/busybox/Config.in
> @@ -62,6 +62,17 @@ config BR2_PACKAGE_BUSYBOX_WATCHDOG
>  	  Install the watchdog daemon startup script,
>  	  that just start at the boot the busybox watchdog daemon.
>  
> +config BR2_PACKAGE_BUSYBOX_PAM
> +	bool "Enable PAM support in Busybox"
> +	default n
> +	depends on BR2_PACKAGE_LINUX_PAM
> +	help
> +	  If this item is selected, Busybox login will use the PAM stack
> +	  for local logins.

>         Local logins with null password are allowed
> +	  for users with records in /etc/passwd ("default" and "root").

> +	  The default PAM configuration file requires user accounts with
> +	  nonzero length passwords.

These two sentences tend to contradict each other. What about:

    The default PAM configuration in buildroot allows local users
    (those with records in /etc/passwd and /etc/shadow) with null
    passwords to log in.

Then the second sentence can go away, because the PAM config files patch
will come before that patch. ;-]

If you can come with another formulation that is not contradictory, that
is fine by me, too. ;-) 

>  if BR2_PACKAGE_BUSYBOX_WATCHDOG
>  
>  config BR2_PACKAGE_BUSYBOX_WATCHDOG_PERIOD
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index 33f8633..21942c6 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -164,6 +164,17 @@ define BUSYBOX_INSTALL_WATCHDOG_SCRIPT
>  endef
>  endif
>  
> +ifeq ($(BR2_PACKAGE_BUSYBOX_PAM),y)
> +BUSYBOX_DEPENDENCIES += linux-pam
> +define BUSYBOX_ENABLE_PAM

To be more in line with other options, I'd suggest this be BUSYBOX_SET_PAM
(we already have a bunch of BUSYBOX_SET_XXX, although there are variations).
But I have no strong objection to keeping ENABLE.

Otherwise, LGTM. When you resubmit (with at least the help clarification):
    Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry Golubovsky]

Yann,

On Tue, Sep 4, 2012 at 2:13 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:

>>         Local logins with null password are allowed
>> +       for users with records in /etc/passwd ("default" and "root").
>
>> +       The default PAM configuration file requires user accounts with
>> +       nonzero length passwords.
>
> These two sentences tend to contradict each other. What about:

No, they do not contradict each other because they are about two
different files (which may be not so clear as it is written - but I
tried to keep the text short).

The first sentence is about /etc/pam.d/login.

The second is about /etc/pam.d/default (which means any program that
calls pam_start with arbitrary program name and no match in PAM
configs uses /etc/pam.d/default).

>
> To be more in line with other options, I'd suggest this be BUSYBOX_SET_PAM
> (we already have a bunch of BUSYBOX_SET_XXX, although there are variations).
> But I have no strong objection to keeping ENABLE.

I see a whole variety of names:

define BUSYBOX_CONFIGURE_CMDS
	$(BUSYBOX_SET_LARGEFILE)
	$(BUSYBOX_SET_IPV6)
	$(BUSYBOX_SET_RPC)
	$(BUSYBOX_PREFER_STATIC)
	$(BUSYBOX_SET_MDEV)
	$(BUSYBOX_NETKITBASE)
	$(BUSYBOX_NETKITTELNET)
	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
	$(BUSYBOX_DISABLE_MMU_APPLETS)
	$(BUSYBOX_SET_INIT)
	$(BUSYBOX_SET_WATCHDOG)

and there is "DISABLE" ;)

I'd keep "ENABLE".

Thanks.

-- 
Dmitry Golubovsky

Anywhere on the Web

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry Golubovsky]

Yann,

On Tue, Sep 4, 2012 at 2:13 PM, Yann E. MORIN <yann.morin.1998@free.fr> wrote:

> Otherwise, LGTM. When you resubmit (with at least the help clarification):
>     Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

OK, the patches have been reordered, the help message has been
expanded to mention both files, and where they come form, and that
users are advised to supply their own PAM config.

Thanks.

-- 
Dmitry Golubovsky

Anywhere on the Web

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry]

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 package/busybox/Config.in  |   11 +++++++++++
 package/busybox/busybox.mk |   12 ++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index dedcf18..2a9cbf1 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -62,6 +62,17 @@ config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	  Install the watchdog daemon startup script,
 	  that just start at the boot the busybox watchdog daemon.
 
+config BR2_PACKAGE_BUSYBOX_PAM
+	bool "Enable PAM support in Busybox"
+	default n
+	depends on BR2_PACKAGE_LINUX_PAM
+	help
+	  If this item is selected, Busybox login will use the PAM stack
+	  for local logins. Local logins with null password are allowed
+	  for users with records in /etc/passwd ("default" and "root").
+	  The default PAM configuration file requires user accounts with
+	  nonzero length passwords.
+
 if BR2_PACKAGE_BUSYBOX_WATCHDOG
 
 config BR2_PACKAGE_BUSYBOX_WATCHDOG_PERIOD
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 17ee50a..c97ce77 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -161,6 +161,17 @@ define BUSYBOX_INSTALL_WATCHDOG_SCRIPT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_PAM),y)
+BUSYBOX_DEPENDENCIES += linux-pam
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+else
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_DISABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 # We do this here to avoid busting a modified .config in configure
 BUSYBOX_POST_EXTRACT_HOOKS += BUSYBOX_COPY_CONFIG
 
@@ -176,6 +187,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_DISABLE_MMU_APPLETS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_ENABLE_PAM)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
-- 
1.7.2.5

[Buildroot] [PATCH 1/2] PAM support in Busybox if linux-pam is built

[Dmitry]

Signed-off-by: Dmitry <golubovsky@gmail.com>
---
 package/busybox/Config.in  |   11 +++++++++++
 package/busybox/busybox.mk |   12 ++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index dedcf18..2a9cbf1 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -62,6 +62,17 @@ config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	  Install the watchdog daemon startup script,
 	  that just start at the boot the busybox watchdog daemon.
 
+config BR2_PACKAGE_BUSYBOX_PAM
+	bool "Enable PAM support in Busybox"
+	default n
+	depends on BR2_PACKAGE_LINUX_PAM
+	help
+	  If this item is selected, Busybox login will use the PAM stack
+	  for local logins. Local logins with null password are allowed
+	  for users with records in /etc/passwd ("default" and "root").
+	  The default PAM configuration file requires user accounts with
+	  nonzero length passwords.
+
 if BR2_PACKAGE_BUSYBOX_WATCHDOG
 
 config BR2_PACKAGE_BUSYBOX_WATCHDOG_PERIOD
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 17ee50a..c97ce77 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -161,6 +161,17 @@ define BUSYBOX_INSTALL_WATCHDOG_SCRIPT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_PAM),y)
+BUSYBOX_DEPENDENCIES += linux-pam
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+else
+define BUSYBOX_ENABLE_PAM
+	$(call KCONFIG_DISABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 # We do this here to avoid busting a modified .config in configure
 BUSYBOX_POST_EXTRACT_HOOKS += BUSYBOX_COPY_CONFIG
 
@@ -176,6 +187,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_DISABLE_MMU_APPLETS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_ENABLE_PAM)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
-- 
1.7.2.5