Opened 7 months ago

Closed 7 months ago

#15950 closed enhancement (fixed)

chpasswd not working

Reported by: thomas Owned by: pierre
Priority: normal Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords: shadow pam chpasswd
Cc:

Description

When building shadow with pam support, it looks like that at least chpasswd is not working. Unfortunatly, there is no error message nor a non-zero return code when doing a

echo "username:passwd" | chpasswd

It simply does nothing. The failure has been tracked down to be caused by a missing line in the PAM configuration. The issue can be solved by adding

password  include     system-password

after the

password  required    pam_permit.so

line in /etc.pam.d/chage which is later copied to several other program files.

Question is, is the line just missing for /etc/pam.d/chpasswd, missing for all chXXX programs or missing for all programs?

Change History (4)

comment:1 by pierre, 7 months ago

I think any program changing password requires that PAM does something (check passwords strength for example). So passing only pam_permit.so for the "password" type is clearly wrong, since pam_permit does nothing except returning success.

I do not have a clear understanding of what selects what is called "type" in pam documentation (password, session, auth, and account). But I think if the type is "password", we should use "system-password" in any case. I suspect some applications like login or sshd never use the "password" type anyway, since it has nothing to do with managing a password (entering a password is in the "auth" type).

So I propose to remove the pam_permit and replace it with include system-password for the chage pam file, and all the files that are a copy of chage.

comment:2 by pierre, 7 months ago

Owner: changed from blfs-book to pierre
Status: newassigned

After discussion on irc, and looking at the sources: among the shadow applications, only login, su, chpasswd, newusers, and passwd use the password type. And only login and su use the session type. So I will completely remove session and password from the config files of applications that don't use it, and change password to include system-password for applications that use it.

comment:3 by pierre, 7 months ago

I've tested various apps with the settings above, and all seems to be well. groupmems has something weird in its doc: telling to chmod it to 2710 and change the group ownership to groups, then adding some users to the group groups to allow them to manage their own group membership. But this does not work, because it tries to open /etc/gshadow, which has mode 400 and is owned by root. This has nothing to do with pam (pam library is not called in the process above).

comment:4 by pierre, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at bc7e5a700

Note: See TracTickets for help on using tickets.