Opened 3 years ago
Closed 3 years ago
#15950 closed enhancement (fixed)
chpasswd not working
| Reported by: | thomas | Owned by: | pierre |
|---|---|---|---|
| Priority: | normal | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | shadow pam chpasswd |
| Cc: |
Description ¶
When building shadow with pam support, it looks like that at least chpasswd is not working. Unfortunatly, there is no error message nor a non-zero return code when doing a
echo "username:passwd" | chpasswd
It simply does nothing. The failure has been tracked down to be caused by a missing line in the PAM configuration. The issue can be solved by adding
password include system-password
after the
password required pam_permit.so
line in /etc.pam.d/chage which is later copied to several other program files.
Question is, is the line just missing for /etc/pam.d/chpasswd, missing for all chXXX programs or missing for all programs?
Change History (4)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
After discussion on irc, and looking at the sources: among the shadow applications, only login, su, chpasswd, newusers, and passwd use the password type. And only login and su use the session type. So I will completely remove session and password from the config files of applications that don't use it, and change password to include system-password for applications that use it.
comment:3 by , 3 years ago
I've tested various apps with the settings above, and all seems to be well. groupmems has something weird in its doc: telling to chmod it to 2710 and change the group ownership to groups, then adding some users to the group groups to allow them to manage their own group membership. But this does not work, because it tries to open /etc/gshadow, which has mode 400 and is owned by root. This has nothing to do with pam (pam library is not called in the process above).
I think any program changing password requires that PAM does something (check passwords strength for example). So passing only pam_permit.so for the "password" type is clearly wrong, since pam_permit does nothing except returning success.
I do not have a clear understanding of what selects what is called "type" in pam documentation (password, session, auth, and account). But I think if the type is "password", we should use "system-password" in any case. I suspect some applications like login or sshd never use the "password" type anyway, since it has nothing to do with managing a password (entering a password is in the "auth" type).
So I propose to remove the pam_permit and replace it with include system-password for the chage pam file, and all the files that are a copy of chage.