From mahlon@happymaggot.stinkymeat.net  Fri Dec 10 20:54:13 2004
Return-Path: <mahlon@happymaggot.stinkymeat.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C209616A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 10 Dec 2004 20:54:13 +0000 (GMT)
Received: from happymaggot.stinkymeat.net (c-24-20-217-22.client.comcast.net [24.20.217.22])
	by mx1.FreeBSD.org (Postfix) with SMTP id 39EDE43D64
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 10 Dec 2004 20:54:13 +0000 (GMT)
	(envelope-from mahlon@happymaggot.stinkymeat.net)
Received: (qmail 35291 invoked by uid 1001); 10 Dec 2004 20:54:12 -0000
Message-Id: <20041210205412.35290.qmail@happymaggot.stinkymeat.net>
Date: 10 Dec 2004 20:54:12 -0000
From: "Mahlon E. Smith" <mahlon-dated-1110480323.6ec148@martini.nu>
Reply-To: "Mahlon E. Smith" <mahlon-dated-1110480323.6ec148@martini.nu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: mahlon-dated-1110480323.6ec148@martini.nu
Subject: DES/BLF login.conf classes not working with passwd
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         74929
>Category:       bin
>Synopsis:       DES/BLF login.conf classes not working with passwd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 10 21:00:45 GMT 2004
>Closed-Date:    Sat Nov 11 00:47:33 GMT 2006
>Last-Modified:  Sat Nov 11 00:47:33 GMT 2006
>Originator:     Mahlon E. Smith
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
Spime Solutions Group (www.spime.net)
>Environment:
n/a

>Description:

    In any 5.x release, passwd ignores the passwd_format class key in
    login.conf, and always generates a MD5 password.

>How-To-Repeat:

    - enable des_users class in login.conf (for DES crypt passwords)
    - run cap_mkdb /etc/login.conf
    - edit the class field of the user(s) with vipw, changing their
      login class to des_users.

      mahlon:REMOVED:1001:1000:des_users:0:0:Mahlon E. Smith:/home/mahlon:/bin/tcsh
      
    - change the password with passwd.
    - check the master.passwd file.  Password is MD5. ($1$...)

>Fix:

    Because this works perfectly under 4.x, I'm assuming it's an issue
    with the new PAM compatibility with passwd under 5.x.

    To workaround for now, don't use passwd, instead use:

    % pw usermod [username] -h 0


>Release-Note:
>Audit-Trail:

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: "Mahlon E. Smith" <mahlon-dated-1110480323.6ec148@martini.nu>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/74929: DES/BLF login.conf classes not working with passwd
Date: Sat, 11 Dec 2004 14:30:16 +0100

 --3XA6nns4nE4KvaS/
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2004.12.10 20:54:12 -0000, Mahlon E. Smith wrote:
 
 >     In any 5.x release, passwd ignores the passwd_format class key in
 >     login.conf, and always generates a MD5 password.
 
 I think the problem is with the setting the correct class for a user.
 
 If I change the passwd_format in the default class it works fine, but
 I can reproduce your example, so the problem is probably that passwd
 somehow does not honor/use the correct class for the user that gets
 the password changed.
 
 --=20
 Simon L. Nielsen
 
 --3XA6nns4nE4KvaS/
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.6 (FreeBSD)
 
 iD8DBQFBuvZnh9pcDSc1mlERAlSuAJ4xx/5UNY1xj7qZmBQ0B4gmVDGVJACffj1N
 hzo6jJ/uAvDrAWeBkqz9Vjk=
 =QwoX
 -----END PGP SIGNATURE-----
 
 --3XA6nns4nE4KvaS/--

From: "Stephen P. Cravey" <clists@gotbrains.org>
To: bug-followup@FreeBSD.org
Cc: mahlon-dated-1110480323.6ec148@martini.nu
Subject: Re: bin/74929: DES/BLF login.conf classes not working with passwd
Date: Sat, 25 Jun 2005 08:14:38 -0500

 Did you try issuing a:
 
 cap_mkdb /etc/login.conf
 
 ?
 This was my problem.
 Also have a look at:
 http://forums.servermatrix.com/viewtopic.php?t=11342
 
 I expect some man page patches would help with this problem and many
 like it. the docs for fiddling with this stuff kindof blow.
 
 -Stephen

From: "Stephen P. Cravey" <cravey@gotbrains.org>
To: "Mahlon E. Smith" <mahlon@martini.nu>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/74929: DES/BLF login.conf classes not working with passwd
Date: Sat, 25 Jun 2005 23:13:45 -0500

 The problem seems to be that the pam_sm_chauthtok function in the
 pam_unix module only checks forthe password format for the default login
 class (or the first in the file?)
 
 Try this:
 
 cd /usr/src/lib/libpam/modules/pam_unix
 fetch http://www.cravey.org/patches/pam_unix.c.diff.200506252305
 patch < pam_unix.c.diff.200506252305
 make && make install
 
 Then try to use passwd.
 Please test as user and as root. Also, make sure that other classed work
 against the default properly.
 
 By applying the patch again, 'patch' will assume you want to reverse the
 damage and wil revert the source file. then you can re-make and
 everything should go back to normal.
 
 This should apply cleanly to (I think) 5.3 and up. 
 
 -Stephen
 
 --- pam_unix.c~ Tue Feb 10 04:13:21 2004
 +++ pam_unix.c  Sat Jun 25 22:34:53 2005
 @@ -372,7 +372,7 @@
                         return (PAM_BUF_ERR);
  
                 pwd->pw_change = 0;
 -               lc = login_getclass(NULL);
 +               lc = login_getclass(pwd->pw_class);
                 if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
                         openpam_log(PAM_LOG_ERROR,
                             "can't set password cipher, relying on
 default"); 
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: des 
Responsible-Changed-When: Mon Jul 4 14:27:19 GMT 2005 
Responsible-Changed-Why:  
PAM issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74929 
State-Changed-From-To: open->patched 
State-Changed-By: des 
State-Changed-When: Tue Jul 5 18:47:18 GMT 2005 
State-Changed-Why:  
Fixed in -CURRENT, awaiting MFC. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74929 
State-Changed-From-To: patched->closed 
State-Changed-By: des 
State-Changed-When: Sat Nov 11 00:47:32 UTC 2006 
State-Changed-Why:  
MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=74929 
>Unformatted:
