2008-09-19 18:31:17 |
kah00na |
bug |
|
|
added bug |
2008-09-19 18:35:26 |
kah00na |
description |
Binary package hint: passwd
As root, if you attempt to change the password, and the passwords do not match you get "passwords do not match" and "password updated successfully". It should only report "passwords do not match". It shouldn't say "password updated sucessfully". According to Synaptic the passwd package is at level "1:4.1.1-1ubuntu1". This is on 8.10 Alpha 6. Here's the output:
root@ehud:/# passwd
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: password updated successfully
root@ehud:/# lsb_release -rd
Description: Ubuntu intrepid (development branch)
Release: 8.10
root@ehud:/# |
Binary package hint: passwd
As root, if you attempt to change the password, and the passwords do not match you get "passwords do not match" and "password updated successfully". It should only report "passwords do not match". It shouldn't say "password updated sucessfully". According to Synaptic the passwd package is at level "1:4.1.1-1ubuntu1". This is on 8.10 Alpha 6. Here's the output:
root@ehud:/# passwd
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: password updated successfully
root@ehud:/# lsb_release -rd
Description: Ubuntu intrepid (development branch)
Release: 8.10
root@ehud:/#
This happens for normal users as well:
userX@ehud:~$ passwd
Changing password for userX.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: password updated successfully
userX@ehud:~$
|
|
2008-09-19 20:33:21 |
Mackenzie Morgan |
shadow: status |
New |
Confirmed |
|
2008-09-19 20:33:21 |
Mackenzie Morgan |
shadow: statusexplanation |
|
Reproducible on Intrepid. |
|
2008-09-19 20:58:04 |
Nicolas François |
shadow: bugtargetdisplayname |
shadow (Ubuntu) |
pam (Ubuntu) |
|
2008-09-19 20:58:04 |
Nicolas François |
shadow: bugtargetname |
shadow (Ubuntu) |
pam (Ubuntu) |
|
2008-09-19 20:58:04 |
Nicolas François |
shadow: statusexplanation |
Reproducible on Intrepid. |
This looks like a PAM configuration bug.
When pam_unix fails, the error is (willingly) ignored.
One temporary solution to fix this could be to change the line:
password [success=1 default=ignore] pam_unix.so obscure sha512
to
password required pam_unix.so obscure sha512 |
|
2008-09-19 20:58:04 |
Nicolas François |
shadow: title |
Bug #272232 in shadow (Ubuntu): "passwd - passwords do not match but updated successfully" |
Bug #272232 in pam (Ubuntu): "passwd - passwords do not match but updated successfully" |
|
2008-10-15 20:03:15 |
Dustin Kirkland |
pam: status |
Confirmed |
Triaged |
|
2008-10-15 20:03:15 |
Dustin Kirkland |
pam: importance |
Undecided |
Critical |
|
2008-10-15 20:03:15 |
Dustin Kirkland |
pam: statusexplanation |
This looks like a PAM configuration bug.
When pam_unix fails, the error is (willingly) ignored.
One temporary solution to fix this could be to change the line:
password [success=1 default=ignore] pam_unix.so obscure sha512
to
password required pam_unix.so obscure sha512 |
I'm stepping this bug up to critical, and milestoning it against Intrepid release. I spoke with slangasek and he's going to work on it.
This is currently affecting pam_ecryptfs.
If the user is using an encrypted private directory, and tries to change their password with passwd, the password change might fail, but their passphrase might get rewrapped. This is highly undesirable, and causes automounting of ~/Private to fail.
:-Dustin |
|
2008-10-15 20:03:15 |
Dustin Kirkland |
pam: milestone |
|
ubuntu-8.10 |
|
2008-10-15 20:07:50 |
Dustin Kirkland |
pam: status |
Triaged |
Confirmed |
|
2008-10-15 20:07:50 |
Dustin Kirkland |
pam: importance |
Critical |
High |
|
2008-10-15 20:07:50 |
Dustin Kirkland |
pam: statusexplanation |
I'm stepping this bug up to critical, and milestoning it against Intrepid release. I spoke with slangasek and he's going to work on it.
This is currently affecting pam_ecryptfs.
If the user is using an encrypted private directory, and tries to change their password with passwd, the password change might fail, but their passphrase might get rewrapped. This is highly undesirable, and causes automounting of ~/Private to fail.
:-Dustin |
My apologies....
Please disregard my last message. This bug is still very important, but I was completely mistaken.
pam_ecryptfs will NOT re-wrap the passphrase if the operation actually fails (regardless of the success message). Whew.
I stepped this bug back down to Confirmed/High.
:-Dustin |
|
2008-10-15 20:28:14 |
Dustin Kirkland |
pam: status |
Confirmed |
Triaged |
|
2008-10-15 20:28:14 |
Dustin Kirkland |
pam: importance |
High |
Critical |
|
2008-10-15 20:28:14 |
Dustin Kirkland |
pam: statusexplanation |
My apologies....
Please disregard my last message. This bug is still very important, but I was completely mistaken.
pam_ecryptfs will NOT re-wrap the passphrase if the operation actually fails (regardless of the success message). Whew.
I stepped this bug back down to Confirmed/High.
:-Dustin |
|
|
2008-10-15 20:34:57 |
Steve Langasek |
shadow: status |
New |
Invalid |
|
2008-10-15 20:34:57 |
Steve Langasek |
shadow: statusexplanation |
|
Not a bug in shadow at all; this is entirely a pam problem, related to the pam-auth-update changes to the default PAM stack. I'm working through this today to fix up the stack semantics. |
|
2008-10-15 20:35:53 |
Steve Langasek |
pam: assignee |
|
vorlon |
|
2008-10-15 20:35:53 |
Steve Langasek |
pam: statusexplanation |
|
|
|
2008-10-16 01:33:43 |
Steve Langasek |
pam: status |
Triaged |
In Progress |
|
2008-10-16 04:30:06 |
Launchpad Janitor |
pam: status |
In Progress |
Fix Released |
|
2008-10-16 04:35:51 |
Steve Langasek |
bug |
|
|
assigned to ecryptfs-utils (Ubuntu) |
2008-10-16 04:55:47 |
Steve Langasek |
ecryptfs-utils: status |
New |
Triaged |
|
2008-10-16 04:55:47 |
Steve Langasek |
ecryptfs-utils: importance |
Undecided |
Medium |
|
2008-10-16 04:55:47 |
Steve Langasek |
ecryptfs-utils: statusexplanation |
|
Having looked at the code, I think the ecryptfs-utils case is an ecryptfs-utils bug and not a pam bug. The relevant code in pam_ecryptfs is:
if (!old_passphrase || !new_passphrase) {
syslog(LOG_WARNING, "eCryptfs PAM passphrase change module "
"retrieved at least one NULL passphrase; nothing to "
"do\n");
goto out;
}
but this leaves rc as PAM_SUCCESS - since this module is designed to be an optional module, this really ought to return PAM_IGNORE instead for this case. |
|
2008-10-16 05:23:33 |
Steve Langasek |
bug |
|
|
added attachment 'ecryptfs-utils-272232.debdiff' (ecryptfs-utils-272232.debdiff) |
2008-10-16 06:37:26 |
Steve Langasek |
bug |
|
|
added attachment 'ecryptfs-utils-272232.debdiff' (ecryptfs-utils-272232.debdiff) |
2008-10-16 15:09:55 |
Dustin Kirkland |
ecryptfs-utils: status |
Triaged |
In Progress |
|
2008-10-16 15:09:55 |
Dustin Kirkland |
ecryptfs-utils: statusexplanation |
Having looked at the code, I think the ecryptfs-utils case is an ecryptfs-utils bug and not a pam bug. The relevant code in pam_ecryptfs is:
if (!old_passphrase || !new_passphrase) {
syslog(LOG_WARNING, "eCryptfs PAM passphrase change module "
"retrieved at least one NULL passphrase; nothing to "
"do\n");
goto out;
}
but this leaves rc as PAM_SUCCESS - since this module is designed to be an optional module, this really ought to return PAM_IGNORE instead for this case. |
|
|
2008-10-16 21:01:26 |
Steve Langasek |
bug |
|
|
added attachment 'ecryptfs-utils-272232.debdiff' (ecryptfs-utils-272232.debdiff) |
2008-10-17 06:04:37 |
Dustin Kirkland |
bug |
|
|
added attachment 'ecryptfs-utils.272232.debdiff' (ecryptfs-utils.272232.debdiff) |
2008-10-19 14:23:54 |
Dustin Kirkland |
ecryptfs-utils: importance |
Medium |
High |
|
2008-10-19 14:23:54 |
Dustin Kirkland |
ecryptfs-utils: assignee |
|
kirkland |
|
2008-10-19 15:18:44 |
Dustin Kirkland |
bug |
|
|
added attachment 'ecryptfs-utils.272232b.debdiff' (ecryptfs-utils.272232b.debdiff) |
2008-10-19 15:23:55 |
Dustin Kirkland |
bug |
|
|
added subscriber Jamie Strandboge |
2008-10-19 15:24:14 |
Dustin Kirkland |
bug |
|
|
added subscriber Steve Langasek |
2008-10-19 15:24:34 |
Dustin Kirkland |
bug |
|
|
added subscriber Ubuntu Sponsors for main |
2008-10-19 15:31:41 |
Dustin Kirkland |
bug |
|
|
added attachment 'ecryptfs-utils.272232c.debdiff' (ecryptfs-utils.272232c.debdiff) |
2008-10-20 00:38:36 |
Steve Langasek |
ecryptfs-utils: status |
In Progress |
Fix Committed |
|
2008-10-20 00:38:36 |
Steve Langasek |
ecryptfs-utils: statusexplanation |
|
Sponsored, waiting for release team approval. Thanks, Dustin! |
|
2008-10-20 06:04:48 |
Launchpad Janitor |
ecryptfs-utils: status |
Fix Committed |
Fix Released |
|
2008-11-27 10:23:48 |
Massimo Cora' |
bug |
|
|
added attachment 'log' (strace log) |
2009-06-27 05:12:11 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/karmic/pam |
|
2009-12-09 11:48:12 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/ecryptfs-utils |
|
2011-02-17 08:42:30 |
Daniel Holbach |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2011-02-17 08:42:41 |
Daniel Holbach |
removed subscriber [DEPRECATED] Ubuntu Sponsors for main |
|
|
|
2011-02-21 23:27:44 |
Benjamin Drung |
removed subscriber Ubuntu Sponsors Team |
|
|
|