[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pwdb breakage



On Sat, 31 May 1997, Cristian Gafton wrote:
> The issues involved in this message seem to be very seriuos, I am
> dedicating this weekend to the issue. Anyone on-line ableo to provide me
> with feedback please stay tuned, I'd like to solve those problem as
> quickly as I can, otherwise I'll need to postpone an exam I have on
> monday, and ... I'll do it if I have to. :-(

I'm here to help if it is needed for the weekend...  Unfortunately,
I don't know a whole lot about PAM, but I can try out patches..

> This is the _expected_ behavior of the pam_pwdb module ! It will _read_
> the shadow passwords, it will honor them; *but* if you don't have the
> 'shadow' arg to the pam_pwdb module, it will understand that you are
> dealing with a graduate unshadowing process on your system, so it will
> convert the shadow passwords to standard ones as each user changes
> his password (or root is setting that). I thought that the docs were
> pretty clear on this one, I fail to see the problem. What is the problem ?
> Anyone have other ideas ?

Okay, it looks like you are saying that these Shadow/Passwd problems are
from a poor configuration on Red Hat's part...

So, I guess this would be more directed to Red Hat.  When I make a new
user, I put an 'x' in /etc/passwd and a '*' in /etc/shadow.  Then, I
expect to be able to 'passwd username' at some point in the future to
set the password and enable the account.  Here is what happens:

/etc/passwd:
newtest:x:572:572:New Test:/home/newtest:/bin/bash
/etc/shadow:
newtest:*:10009:0:90:7:30:-1:-1

{ns:root:/root:0}passwd newtest
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: 
passwd: all authentication tokens updated successfully

/etc/passwd:
newtest:XZd0q2oqIJYGo:572:572:New Test:/home/newtest:/bin/bash
/etc/shadow:
newtest:*:10009:0:90:7:30:-1:-1

Hmm... I thought that at this point the user wouldn't be allowed
to log in... but he can.  Oh well, looks like I just repeated
the original post.

Well, to make a point in this whole email -- I definitely do *not*
like this behavior.  I guess the answer is to pass the 'shadow' arg
to the pam_pwdb module (as you said above).  Pardon my ignorance here,
but will always passing the 'shadow' arg to the pam_pwdb module affect
people that *don't* use shadow passwords in an adverse way?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Kirk Bauer -- Georgia Tech -- kirk@kaybee.org <== Finger for PGP
   http://www.kaybee.org/~kirk/html        ResNet RTA



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []