[Bug 600749] Re: cannot change password with a similar one
I can reproduce this. Marking as confirmed. ** Changed in: shadow (Ubuntu) Importance: Undecided = Medium ** Changed in: shadow (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
This bug is in the pam package and introduced by the quilt patch 007_modules_pam_unix. It appears to be intentional, but incorrect behavior. The code has this comment: /* The traditional crypt() truncates passwords to 8 chars. It is possible to circumvent the above checks by choosing an easy 8-char password and adding some random characters to it... Example: password$%^*123. So check it again, this time truncated to the maximum length. Idea from npasswd. --marekm */ This no longer seems to apply so I think this chunk of code should be removed. ** Package changed: shadow (Ubuntu) = pam (Ubuntu) ** Changed in: pam (Ubuntu) Status: Confirmed = In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
** Bug watch added: Debian Bug tracker #616161 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616161 ** Also affects: pam (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616161 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 600749] Re: cannot change password with a similar one
On Wed, Mar 02, 2011 at 09:23:59PM -, Phillip Susi wrote: This bug is in the pam package and introduced by the quilt patch 007_modules_pam_unix. It appears to be intentional, but incorrect behavior. The code has this comment: /* The traditional crypt() truncates passwords to 8 chars. It is possible to circumvent the above checks by choosing an easy 8-char password and adding some random characters to it... Example: password$%^*123. So check it again, this time truncated to the maximum length. Idea from npasswd. --marekm */ This no longer seems to apply so I think this chunk of code should be removed. I think you're misreading the code. Traditional crypt() is not what is *used* by default, but *if* traditional crypt is in use, there are additional checks that need to be done here. Note that this function is designed to return with no error at this point when crypt is *not* in use: if (!UNIX_DES_CRYPT(ctrl)) return NULL; /* unlimited password length */ So while there does seem to be a bug regarding password truncations, I don't think it's here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
That UNIX_DES_CRYPT test is somehow broken. If I remove it then it fixes the problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
please show the /etc/pam.d/common-password file from the affected system (as well as /etc/pam.d/passwd, if that's how you're reproducing it). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
*** This bug is a duplicate of bug 356766 *** https://bugs.launchpad.net/bugs/356766 I made a mistake. That version actually worked before I modified it. The test is a bit different in version 1.1.1-4ubuntu2, so it looks like this got fixed in the natty version. In the Maverick version the test is: if (on(UNIX_HASH_MASK,ctrl)) It looks like you tried to fix this once before and it didn't make it. In the change log you have: * debian/patches/007_modules_pam_unix: recognize that *all* of the password hashes other than traditional crypt handle passwords 8 chars in length. LP: #356766. This is under version 1.1.1-1, however the actual fix appears to not have landed until 1.1.2-1. Duping this bug against the other one and leaving it marked as fixed since it has been, just not in the rev where it was said to have been. ** This bug has been marked a duplicate of bug 356766 Changing long passwords causes spurious error * You can subscribe to bug 356766 by following this link: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/356766/+subscribe -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/600749 Title: cannot change password with a similar one -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
This affects me too. ** Tags added: apport-collected -- cannot change password with a similar one https://bugs.launchpad.net/bugs/600749 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
** Attachment added: Dependencies.txt http://launchpadlibrarian.net/51245368/Dependencies.txt ** Attachment added: LoginDefs.txt http://launchpadlibrarian.net/51245369/LoginDefs.txt -- cannot change password with a similar one https://bugs.launchpad.net/bugs/600749 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 600749] Re: cannot change password with a similar one
Wordaround : change to a totally different password, and change again to the one you want. -- cannot change password with a similar one https://bugs.launchpad.net/bugs/600749 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs