From cjc@attbi.com  Mon Apr 21 11:37:25 2003
Return-Path: <cjc@attbi.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 533D137B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Apr 2003 11:37:25 -0700 (PDT)
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 62B3143F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Apr 2003 11:37:24 -0700 (PDT)
	(envelope-from cjc@attbi.com)
Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107])
          by sccrmhc02.attbi.com (sccrmhc02) with ESMTP
          id <2003042118372300200pj50ee>; Mon, 21 Apr 2003 18:37:23 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3LIbMki079883
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Apr 2003 11:37:22 -0700 (PDT)
	(envelope-from cjc@blossom.cjclark.org)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3LIbMTU079882
	for FreeBSD-gnats-submit@freebsd.org; Mon, 21 Apr 2003 11:37:22 -0700 (PDT)
Received: from vegeta.cjclark.org (localhost.cjclark.org [127.0.0.1])
	by vegeta.cjclark.org (8.12.6p2/8.12.6) with ESMTP id h3GJoYdc007713
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Apr 2003 12:50:35 -0700 (PDT)
	(envelope-from cjc@vegeta.cjclark.org)
Received: (from cjc@localhost)
	by vegeta.cjclark.org (8.12.6p2/8.12.6/Submit) id h3GJoYsJ007712;
	Wed, 16 Apr 2003 12:50:34 -0700 (PDT)
Message-Id: <200304161950.h3GJoYsJ007712@vegeta.cjclark.org>
Date: Wed, 16 Apr 2003 12:50:34 -0700 (PDT)
From: "Crist J. Clark" <cjc@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: PAM will not allow users with null password to change password
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         51245
>Category:       bin
>Synopsis:       PAM will not allow users with null password to change password
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 21 11:40:04 PDT 2003
>Closed-Date:    Thu Apr 24 05:28:08 PDT 2003
>Last-Modified:  Thu Apr 24 05:28:08 PDT 2003
>Originator:     Crist J. Clark
>Release:        FreeBSD 5.0-RELEASE i386
>Organization:
>Environment:
	FreeBSD 5.0-RELEASE-p7. Using local passwords.
>Description:
	A user with a null password cannot change his password.
>How-To-Repeat:
	As a non-privileged user, change your password to a null
(empty) password,

	$ passwd
	Changing local password for user
	Old Password: (old password)
	New Password: (just hit <enter>)
	Retype New Password: (just hit <enter>)
	$

The user should now have an empty password. Try logging in with the
null password. It should work fine. But now try to change your
password,

	$ passwd
	Changing local password for user
	Old Password: (just hit <enter>)
	passwd: sorry
	$

It will not let you.

>Fix:
	Since root doesn't need to type the old password, root can
reset the user's password.

	As for the real fix, the problem seems to lie within PAM,
somewhere within the pam_chauthtok() function.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: cjc 
Responsible-Changed-When: Mon Apr 21 13:17:44 PDT 2003 
Responsible-Changed-Why:  
To the PAM man. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51245 

From: Bruce Evans <bde@zeta.org.au>
To: "Crist J. Clark" <cjc@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org, "" <freebsd-bugs@freebsd.org>
Subject: Re: bin/51245: PAM will not allow users with null password to change
 password
Date: Wed, 23 Apr 2003 03:40:53 +1000 (EST)

 On Wed, 16 Apr 2003, Crist J. Clark wrote:
 
 > >How-To-Repeat:
 > 	As a non-privileged user, change your password to a null
 > (empty) password,
 >
 > 	$ passwd
 > 	Changing local password for user
 > 	Old Password: (old password)
 > 	New Password: (just hit <enter>)
 > 	Retype New Password: (just hit <enter>)
 > 	$
 >
 > The user should now have an empty password. Try logging in with the
 > null password. It should work fine. But now try to change your
 > password,
 >
 > 	$ passwd
 > 	Changing local password for user
 > 	Old Password: (just hit <enter>)
 > 	passwd: sorry
 > 	$
 >
 > It will not let you.
 
 This works for me with -nearly-current userland, but I got an apparently-
 corrupt password database from having pwd.mkdb slightly out of date.
 
 After fixing this, everything worked right except for a bug in signal
 handling: hitting ^C at the prompts does nothing until I hit return.
 This is a standard bug for half-baked signal handling -- either signals
 are blocked, or signals are caught and do little except a set flag, and
 read() is restarted.  getpass(3) works correctly, but passwd(1) apparently
 doesn't use it; something blocks SIGINT for the entire read().

From: Dag-Erling Smorgrav <des@ofug.org>
To: "Crist J. Clark" <cjc@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/51245: PAM will not allow users with null password to
 change password
Date: Thu, 24 Apr 2003 05:13:22 +0200

 "Crist J. Clark" <cjc@FreeBSD.org> writes:
 > The user should now have an empty password. Try logging in with the
 > null password. It should work fine. But now try to change your
 > password, [i]t will not let you.
 
 Add "nullok" to the pam_unix line in /etc/pam.d/passwd.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org

From: "Crist J. Clark" <crist.clark@attbi.com>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/51245: PAM will not allow users with null password to change password
Date: Wed, 23 Apr 2003 22:55:59 -0700

 On Thu, Apr 24, 2003 at 05:13:22AM +0200, Dag-Erling Smorgrav wrote:
 > "Crist J. Clark" <cjc@FreeBSD.org> writes:
 > > The user should now have an empty password. Try logging in with the
 > > null password. It should work fine. But now try to change your
 > > password, [i]t will not let you.
 > 
 > Add "nullok" to the pam_unix line in /etc/pam.d/passwd.
 
 That doesn't seem to help on either RELENG_5_0 or a recent CURRENT.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Thu Apr 24 05:28:07 PDT 2003 
State-Changed-Why:  
Fixed, thanks for the report. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51245 
>Unformatted:
