You are required to change your password immediately (administrator enforced).

Harald Dunkel

unread,

Aug 17, 2021, 2:10:04 PM8/17/21

to

After the most recent update of a host running sid there was a
password change dialog:

You are required to change your password immediately (administrator enforced).
You are required to change your password immediately (administrator enforced).

That would be me, but I cannot remember having set such a policy, so
WTH? Not to mention that this broke non-interactive ssh sessions as
well.

How can I make sure I don't have to change passwords on 400+ hosts?

Regards
Harri

Sven Joachim

unread,

Aug 17, 2021, 4:00:05 PM8/17/21

to

On 2021-08-17 19:59 +0200, Harald Dunkel wrote:

> After the most recent update of a host running sid there was a
> password change dialog:
>
> You are required to change your password immediately (administrator enforced).
> You are required to change your password immediately (administrator enforced).

Same here. The only package that could be related to this surprise
which I upgraded seems to be libcrypt1. Huh?

> That would be me, but I cannot remember having set such a policy, so
> WTH? Not to mention that this broke non-interactive ssh sessions as
> well.
>
> How can I make sure I don't have to change passwords on 400+ hosts?

Do not run sid on 400+ hosts. Do not run testing either, especially in
the first months after a release.

Cheers,
Sven

Sven Joachim

unread,

Aug 17, 2021, 4:20:05 PM8/17/21

to

On 2021-08-17 21:55 +0200, Sven Joachim wrote:

> On 2021-08-17 19:59 +0200, Harald Dunkel wrote:
>
>> After the most recent update of a host running sid there was a
>> password change dialog:
>>
>> You are required to change your password immediately (administrator enforced).
>> You are required to change your password immediately (administrator enforced).
>
> Same here. The only package that could be related to this surprise
> which I upgraded seems to be libcrypt1. Huh?

Indeed libcrypt1 seems to the culprit. After changing my password and
downgrading libcrypt1 (as well as libcrypt-dev) to the bullseye version
I could restore my /etc/shadow from a backup without being nagged again.

It also seems that the problem only occurs if you have not changed your
password for quite a few years and it still has an md5 hash in
/etc/shadow. For details see
https://github.com/besser82/libxcrypt/issues/129.

Cheers,
Sven

Harald Dunkel

unread,

Aug 18, 2021, 8:40:04 AM8/18/21

to

Of course not. But sid becomes the next release in 2 years, and then it
might be to late to get rid of this lie.

Regards
Harri

Sven Joachim

unread,

Aug 21, 2021, 4:20:05 AM8/21/21

to

Feel free to file a bug against the libcrypt1 package and/or the release
notes. The change itself looks quite reasonable to me though, as
md5crypt hashes are really insecure these days.

The following command could be used to check for old md5crypt password
hashes, see crypt(5):

sudo cat /etc/shadow | grep -F ':$1$'

Cheers,
Sven

John Crawley

unread,

Aug 22, 2021, 1:10:05 AM8/22/21

to

On 18/08/2021 21:16, Harald Dunkel wrote:
> ...sid becomes the next release in 2 years

Sid is always sid.
Testing (now Bookworm) will become stable in ~2 years.

--
John