cannot change password with a similar one

Wordaround : change to a totally different password, and change again to the one you want.

This affects me too.

Architecture: amd64
DistroRelease: Ubuntu 10.10
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Alpha amd64 (20100803.1)
Package: shadow (not installed)
ProcEnviron:
 LANG=de_DE.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.35-15.21-generic 2.6.35.1
Tags: maverick
Uname: Linux 2.6.35-15-generic x86_64
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

apport information

I can reproduce this. Marking as confirmed.

This bug is in the pam package and introduced by the quilt patch "007_modules_pam_unix". It appears to be intentional, but incorrect behavior. The code has this comment:

       /* The traditional crypt() truncates passwords to 8 chars. It is
          possible to circumvent the above checks by choosing an easy
          8-char password and adding some random characters to it...
          Example: "password$%^&*123". So check it again, this time
          truncated to the maximum length. Idea from npasswd. --marekm */

This no longer seems to apply so I think this chunk of code should be removed.

On Wed, Mar 02, 2011 at 09:23:59PM -0000, Phillip Susi wrote:
> This bug is in the pam package and introduced by the quilt patch
> "007_modules_pam_unix". It appears to be intentional, but incorrect
> behavior. The code has this comment:

> /* The traditional crypt() truncates passwords to 8 chars. It is
> possible to circumvent the above checks by choosing an easy
> 8-char password and adding some random characters to it...
> Example: "password$%^&*123". So check it again, this time
> truncated to the maximum length. Idea from npasswd. --marekm */

> This no longer seems to apply so I think this chunk of code should be
> removed.

I think you're misreading the code. Traditional crypt() is not what is
*used* by default, but *if* traditional crypt is in use, there are
additional checks that need to be done here. Note that this function is
designed to return with no error at this point when crypt is *not* in use:

       if (!UNIX_DES_CRYPT(ctrl))
               return NULL; /* unlimited password length */

So while there does seem to be a bug regarding password truncations, I don't
think it's here.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

That UNIX_DES_CRYPT test is somehow broken. If I remove it then it fixes the problem.

please show the /etc/pam.d/common-password file from the affected system (as well as /etc/pam.d/passwd, if that's how you're reproducing it).

I made a mistake. That version actually worked before I modified it. The test is a bit different in version 1.1.1-4ubuntu2, so it looks like this got fixed in the natty version. In the Maverick version the test is:

if (on(UNIX_HASH_MASK,ctrl))

It looks like you tried to fix this once before and it didn't make it. In the change log you have:

  * debian/patches/007_modules_pam_unix: recognize that *all* of the password
    hashes other than traditional crypt handle passwords >8 chars in length.
    LP: #356766.

This is under version 1.1.1-1, however the actual fix appears to not have landed until 1.1.2-1.

Duping this bug against the other one and leaving it marked as fixed since it has been, just not in the rev where it was said to have been.