Bug#396726: chpasswd does not update opasswd
On Fri, Nov 03, 2006 at 10:50:12PM +0100, Nicolas Fran?ois wrote: chpasswd is currently not compiled with PAM support on Debian. As PAM is responsible for updating /etc/security/opasswd, I prefer to keep this bug open, but tagging it wontfix, until we decide whether we can compile this utility with PAM support. Ok. It looks like this functionality is also broken in programs like passwd, which use PAM. See also Debian Bug #396918... -- Brian Ristuccia [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396726: chpasswd does not update opasswd
On Mon, Nov 06, 2006 at 10:15:35AM -0500, Brian Ristuccia wrote: On Fri, Nov 03, 2006 at 10:50:12PM +0100, Nicolas Fran?ois wrote: chpasswd is currently not compiled with PAM support on Debian. As PAM is responsible for updating /etc/security/opasswd, I prefer to keep this bug open, but tagging it wontfix, until we decide whether we can compile this utility with PAM support. Ok. It looks like this functionality is also broken in programs like passwd, which use PAM. See also Debian Bug #396918... Well, not completely broken. It is just when passwd is run by root. Because it is considered that root do not have the same password policy (this could also makes sens). I recommend you to set users' password by root to a simple password that can be communicated to the user, but also tag the password as expired, so that the user have to choose a new password the next time he login (and then the new password will be enterred to /etc/security/opasswd; also the administrator do not have to know the users' passwords). Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396726: chpasswd does not update opasswd
On Mon, Nov 06, 2006 at 05:07:31PM +0100, Nicolas Fran?ois wrote: I recommend you to set users' password by root to a simple password that can be communicated to the user, but also tag the password as expired, so that the user have to choose a new password the next time he login (and then the new password will be enterred to /etc/security/opasswd; also the administrator do not have to know the users' passwords). In that case, only the temporary password is written into opasswd. The user's previous password (before it was changed by root to the temporary one) is not stored in opasswd and nothing prevents the user from changing their password back to that value. Imagine a scenareo where an administrator finds out that one or more account passwords may have been disclosed to unauthorized persons. Not knowing exactly which accounts have been compromised, the administrator takes various preventive steps including assigning everyone a new temporary random password and marking it expired. Simply marking the compromised password expired is not enough, an unauthorized user could complete the password change procedure and take control of the account. The temporary passwords are hand delivered to the affected users. Unless the password hash from before the temporary password assignment is copied into opasswd, users who decide to violate the password policy can simply change their password back to the previous (compromised) value. -- Brian Ristuccia [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396726: chpasswd does not update opasswd
On Mon, Nov 06, 2006 at 12:09:59PM -0500, Brian Ristuccia wrote: On Mon, Nov 06, 2006 at 05:07:31PM +0100, Nicolas François wrote: I recommend you to set users' password by root to a simple password that can be communicated to the user, but also tag the password as expired, so that the user have to choose a new password the next time he login (and then the new password will be enterred to /etc/security/opasswd; also the administrator do not have to know the users' passwords). In that case, only the temporary password is written into opasswd. The user's previous password (before it was changed by root to the temporary one) is not stored in opasswd and nothing prevents the user from changing their password back to that value. Yes, you are right. I did not understand the issue of #396918. (This does not change the status for chpasswd, but I will try to have a look at the pam_unix module) Kind Regards, -- Nekral
Bug#396726: chpasswd does not update opasswd
tags 396726 wontfix thanks Hello, On Thu, Nov 02, 2006 at 09:38:22AM -0500, Brian Ristuccia wrote: When changing a password with chpasswd, the previous password hash is not stored in /etc/security/opasswd. As a result, nothing prevents the user from changing their password back to a previous (potentially compromised) value. chpasswd is currently not compiled with PAM support on Debian. As PAM is responsible for updating /etc/security/opasswd, I prefer to keep this bug open, but tagging it wontfix, until we decide whether we can compile this utility with PAM support. Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#396726: chpasswd does not update opasswd
Package: passwd Version: 1:4.0.3-31sarge5 When changing a password with chpasswd, the previous password hash is not stored in /etc/security/opasswd. As a result, nothing prevents the user from changing their password back to a previous (potentially compromised) value. -- Brian Ristuccia [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]