Please note that this bug causes other problems that affect also the default configuration (pam_unix).
For example on pam_unix the missing flag (PAM_CHANGE_EXPIRED_AUTHTOK) causes the setting of another pam flag UNIX__IAMROOT [1] which cause other unexpected behaviours [2].
You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like "tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login with gdm3 (ssh, console, ...): the right policies will be enforced
Note, about pam_unix, that this bug also breaks the "remember" pam_unix policy.
I think that this bug probably impacts most of the pam modules and so it must be considered an important security issue (security policies are not enforced).
I'm performing further checks...
[1] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/support.c:68
if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
D(("IAMROOT"));
set(UNIX__IAMROOT, ctrl);
}
[2] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/pam_unix_passwd.c:491
if (off(UNIX__IAMROOT, ctrl)) {
if (strlen(pass_new) < pass_min_len)
remark = _("You must choose a longer password");
D(("length check [%s]", remark));
if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
remark = _("Password has been already used. Choose another.");
if (retval == PAM_ABORT) {
pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords", OLD_PASSWORDS_FILE);
return retval;
}
}
}
Please note that this bug causes other problems that affect also the default configuration (pam_unix). EXPIRED_ AUTHTOK) causes the setting of another pam flag UNIX__IAMROOT [1] which cause other unexpected behaviours [2].
For example on pam_unix the missing flag (PAM_CHANGE_
You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like "tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login with gdm3 (ssh, console, ...): the right policies will be enforced
Note, about pam_unix, that this bug also breaks the "remember" pam_unix policy.
I think that this bug probably impacts most of the pam modules and so it must be considered an important security issue (security policies are not enforced).
I'm performing further checks...
[1] from Wheezy pam source: /pam-1. 1.3/modules/ pam_unix/ support. c:68 EXPIRED_ AUTHTOK) ) { _IAMROOT, ctrl);
if (getuid() == 0 && !(flags & PAM_CHANGE_
D(("IAMROOT"));
set(UNIX_
}
[2] from Wheezy pam source: /pam-1. 1.3/modules/ pam_unix/ pam_unix_ passwd. c:491 REMEMBER_ PASSWD, ctrl)) { password( user, pass_new)) == PAM_AUTHTOK_ERR) syslog( pamh, LOG_ERR, "can't open %s file to check old passwords",
OLD_ PASSWORDS_ FILE);
if (off(UNIX__IAMROOT, ctrl)) {
if (strlen(pass_new) < pass_min_len)
remark = _("You must choose a longer password");
D(("length check [%s]", remark));
if (on(UNIX_
if ((retval = check_old_
remark = _("Password has been already used. Choose another.");
if (retval == PAM_ABORT) {
pam_
return retval;
}
}
}