Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1038719: libpam-passwdqc: Enforces rules on root user invocations even when configured not to
9 views
Skip to first unread message
Juho Kuisma
Jun 20, 2023, 9:20:05 AM6/20/23
to
Package: libpam-passwdqc
Version: 2.0.2-1+b1
Severity: normal
X-Debbugs-Cc: kuisma.ju...@gmail.com
Hey,
passwdqc enforces its rules for root user invocations even when configured to
`enforce=users`. This applies specifically to `chpasswd` command. `passwd`
warns of the weak password but doesn't fail as documented in passwdqc.conf(5):
$ chpasswd > /dev/null
user1:weak
Weak password: too short.
Weak password: too short.
Weak password: too short.
chpasswd: (user user1) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user user1) password not changed
$ echo $?
1
$ passwd user1 > /dev/null
Enter new password:
Weak password: too short.
Re-type new password:
passwd: password updated successfully
$ echo $?
0
Relevant pam configuration used:
$ cat /etc/pam.d/chpasswd
# The PAM configuration file for the Shadow 'chpasswd' service
#
@include common-password
$ cat /etc/pam.d/passwd
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password
$ grep ^password /etc/pam.d/common-password
password requisite pam_passwdqc.so enforce=users
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password requisite pam_deny.so
password required pam_permit.so
This might be caused by `chpasswd` interpreting passwdqc warnings written to
STDERR as failures.
Cheers,
Juho Kuisma
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-passwdqc depends on:
ii libc6 2.36-9
ii libcrypt1 1:4.4.33-2
ii libpam-runtime 1.5.2-6
ii libpam0g 1.5.2-6
ii libpasswdqc1 2.0.2-1+b1
Versions of packages libpam-passwdqc recommends:
ii passwdqc 2.0.2-1+b1
libpam-passwdqc suggests no packages.
-- no debconf information
Version: 2.0.2-1+b1
Severity: normal
X-Debbugs-Cc: kuisma.ju...@gmail.com
Hey,
passwdqc enforces its rules for root user invocations even when configured to
`enforce=users`. This applies specifically to `chpasswd` command. `passwd`
warns of the weak password but doesn't fail as documented in passwdqc.conf(5):
$ chpasswd > /dev/null
user1:weak
Weak password: too short.
Weak password: too short.
Weak password: too short.
chpasswd: (user user1) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user user1) password not changed
$ echo $?
1
$ passwd user1 > /dev/null
Enter new password:
Weak password: too short.
Re-type new password:
passwd: password updated successfully
$ echo $?
0
Relevant pam configuration used:
$ cat /etc/pam.d/chpasswd
# The PAM configuration file for the Shadow 'chpasswd' service
#
@include common-password
$ cat /etc/pam.d/passwd
#
# The PAM configuration file for the Shadow `passwd' service
#
@include common-password
$ grep ^password /etc/pam.d/common-password
password requisite pam_passwdqc.so enforce=users
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password requisite pam_deny.so
password required pam_permit.so
This might be caused by `chpasswd` interpreting passwdqc warnings written to
STDERR as failures.
Cheers,
Juho Kuisma
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-passwdqc depends on:
ii libc6 2.36-9
ii libcrypt1 1:4.4.33-2
ii libpam-runtime 1.5.2-6
ii libpam0g 1.5.2-6
ii libpasswdqc1 2.0.2-1+b1
Versions of packages libpam-passwdqc recommends:
ii passwdqc 2.0.2-1+b1
libpam-passwdqc suggests no packages.
-- no debconf information
Juho Kuisma
Jun 21, 2023, 4:40:05 AM6/21/23
to
This seems to also affect upstream. I created this issue:
https://github.com/openwall/passwdqc/issues/27.
Cheers,
Juho
https://github.com/openwall/passwdqc/issues/27.
Cheers,
Juho
Juho Kuisma
Jul 6, 2023, 3:30:05 AM7/6/23
to
Hey,
Thank you for swiftly fixing the original issue! I verified that it
now works in testing.
Do you have plans of backporting this once bookworm-backports is up or
should I look into backporting this myself?
Sorry for the additional pestering,
Juho
Thank you for swiftly fixing the original issue! I verified that it
now works in testing.
Do you have plans of backporting this once bookworm-backports is up or
should I look into backporting this myself?
Sorry for the additional pestering,
Juho
0 new messages