© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Please note that this bug causes other problems that affect also the default configuration (pam_unix).
For example on pam_unix the missing flag (PAM_CHANGE_
You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like "tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login with gdm3 (ssh, console, ...): the right policies will be enforced
Note, about pam_unix, that this bug also breaks the "remember" pam_unix policy.
I think that this bug probably impacts most of the pam modules and so it must be considered an important security issue (security policies are not enforced).
I'm performing further checks...
[1] from Wheezy pam source: /pam-1.
if (getuid() == 0 && !(flags & PAM_CHANGE_
D(("IAMROOT"));
set(UNIX_
}
[2] from Wheezy pam source: /pam-1.
if (off(UNIX__IAMROOT, ctrl)) {
if (strlen(pass_new) < pass_min_len)
remark = _("You must choose a longer password");
D(("length check [%s]", remark));
if (on(UNIX_
if ((retval = check_old_
remark = _("Password has been already used. Choose another.");
if (retval == PAM_ABORT) {
pam_
return retval;
}
}
}