[Pkg-shadow-devel] Bug#321384: marked as done (su refuses to change
an expired password for root)
Debian Bug Tracking System
owner at bugs.debian.org
Mon Sep 26 18:48:17 UTC 2005
Your message dated Mon, 26 Sep 2005 20:39:15 +0200
with message-id <20050926183915.GF25812 at djedefre.onera>
and subject line Closing bugs formerly fixed in experimental and now fixed in unstable
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Aug 2005 07:27:54 +0000
>From volker.westphal at de.ibm.com Fri Aug 05 00:27:54 2005
Return-path: <volker.westphal at de.ibm.com>
Received: from mtagate1.de.ibm.com [195.212.29.150]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E0wcU-0008V3-00; Fri, 05 Aug 2005 00:27:54 -0700
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49])
by mtagate1.de.ibm.com (8.12.10/8.12.10) with ESMTP id j757RJxt128224
for <submit at bugs.debian.org>; Fri, 5 Aug 2005 07:27:19 GMT
Received: from d12av02.megacenter.de.ibm.com (d12av02.megacenter.de.ibm.com [9.149.165.228])
by d12nrmr1607.megacenter.de.ibm.com (8.12.10/NCO/VERS6.7) with ESMTP id j757RJYm172212
for <submit at bugs.debian.org>; Fri, 5 Aug 2005 09:27:19 +0200
Received: from d12av02.megacenter.de.ibm.com (loopback [127.0.0.1])
by d12av02.megacenter.de.ibm.com (8.12.11/8.13.3) with ESMTP id j757RJ2W010044
for <submit at bugs.debian.org>; Fri, 5 Aug 2005 09:27:19 +0200
Received: from d12ml066.megacenter.de.ibm.com (d12ml066.megacenter.de.ibm.com [9.149.167.12])
by d12av02.megacenter.de.ibm.com (8.12.11/8.12.11) with ESMTP id j757RJMP010041
for <submit at bugs.debian.org>; Fri, 5 Aug 2005 09:27:19 +0200
To: submit at bugs.debian.org
MIME-Version: 1.0
Subject: su refuses to change an expired password for root
X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
Message-ID: <OFD3089151.4591895B-ONC1257054.0028D880-C1257054.00290F01 at de.ibm.com>
From: Volker Westphal <volker.westphal at de.ibm.com>
Date: Fri, 5 Aug 2005 09:27:17 +0200
X-MIMETrack: Serialize by Router on D12ML066/12/M/IBM(Release 6.53HF247 | January 6, 2005) at
05/08/2005 09:27:18,
Serialize complete at 05/08/2005 09:27:18
Content-Type: multipart/alternative; boundary="=_alternative 00290EF1C1257054_="
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.8 required=4.0 tests=BAYES_01,HAS_PACKAGE,
HTML_30_40,HTML_MESSAGE autolearn=no
version=2.60-bugs.debian.org_2005_01_02
This is a multipart message in MIME format.
--=_alternative 00290EF1C1257054_=
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Package: login
Version: 1:4.0.3-31sarge5
I configured password aging on a freshly Installation of Sarge.
When I use ssh to log into an user account with an expired password,=20
I'm forced to change the password like this:
Using username "westphal".
Linux wiesel 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
Last login: Tue Aug 2 09:08:16 2005 from 10.222.16.227
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for westphal
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
This is the expected behaviour. It even works for a direct login into=20
the root account (sshd configured to "PermitRootLogin yes".)=20
However, when I try to "su" to an expired root account, it refuses=20
to change the password:=20
root at wiesel:~# passwd -x 10 -i 99999 root
westphal at wiesel:~$ su -
Password:
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required.
Sorry.
=20
On a system where "su" is the only way to become root, this would
mean a locked out root account. Imagine a remote system with=20
sshd configured to "PermitRootLogin no" and no direct console access.
Here is my configuration file /etc/pam.d/su, with @includes removed
for clarity:
auth sufficient pam=5Frootok.so
auth required pam=5Funix.so nullok=5Fsecure
account required pam=5Funix.so
password required pam=5Funix.so use=5Fauthtok nullok
session required pam=5Funix.so
=20
The expected behaviour would be to immediately request the user to
change the password like for the direct logins.=20
Looking in su.c I found the following comment:
/*
* Check to see if the account is expired. root gets to ignore any
* expired accounts, but normal users can't become a user with an
* expired password.
*/
IMHO this implementation of su confuses "expired" (passwd -e user)=20
and "inactive" (passwd -l user) passwords. An expired password is not
invalid, it is just marked for an immediate change. I see no reason=20
why su should deny access to such an account.
Regard,
Mit freundlichen Gr=FC=DFen,
Volker Westphal
SO NSD Design,Build,Implement&Run
Security Services Financial Customers
IBM Business Services GmbH
... an IBM Global Services Company
--------------------------------------
Wilhelm-Fay-Stra=DFe 30 - 34, 65936 Frankfurt
Tel.: +49 (0) 69/6645-5056
E-Mail: volker.westphal at de.ibm.com
--=_alternative 00290EF1C1257054_=
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<br><font size=3D2 face=3D"sans-serif">Package: login</font>
<br><font size=3D2 face=3D"sans-serif">Version: 1:4.0.3-31sarge5</font>
<br>
<br><font size=3D2 face=3D"sans-serif">I configured password aging on a fre=
shly
Installation of Sarge.</font>
<br><font size=3D2 face=3D"sans-serif">When I use ssh to log into an user a=
ccount
with an expired password, </font>
<br><font size=3D2 face=3D"sans-serif">I'm forced to change the password li=
ke
this:</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> Using username "westphal=
".</font>
<br><font size=3D2 face=3D"sans-serif"> Linux wiesel 2.6.8-2-386 #1 T=
hu
May 19 17:40:50 JST 2005 i686 GNU/Linux</font>
<br><font size=3D2 face=3D"sans-serif"> Last login: Tue Aug 2 0=
9:08:16
2005 from 10.222.16.227</font>
<br><font size=3D2 face=3D"sans-serif"> WARNING: Your password has ex=
pired.</font>
<br><font size=3D2 face=3D"sans-serif"> You must change your password
now and login again!</font>
<br><font size=3D2 face=3D"sans-serif"> Changing password for westpha=
l</font>
<br><font size=3D2 face=3D"sans-serif"> (current) UNIX password:</fon=
t>
<br><font size=3D2 face=3D"sans-serif"> New UNIX password:</font>
<br><font size=3D2 face=3D"sans-serif"> Retype new UNIX password:</fo=
nt>
<br>
<br><font size=3D2 face=3D"sans-serif">This is the expected behaviour. It e=
ven
works for a direct login into </font>
<br><font size=3D2 face=3D"sans-serif">the root account (sshd configured to
"PermitRootLogin yes".) </font>
<br>
<br><font size=3D2 face=3D"sans-serif">However, when I try to "su"
to an expired root account, it refuses </font>
<br><font size=3D2 face=3D"sans-serif">to change the password: </font>
<br>
<br><font size=3D2 face=3D"sans-serif"> root at wiesel:~# passwd -x 10 -i
99999 root</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> westphal at wiesel:~$ su -</font>
<br><font size=3D2 face=3D"sans-serif"> Password:</font>
<br><font size=3D2 face=3D"sans-serif"> You are required to change yo=
ur
password immediately (password aged)</font>
<br><font size=3D2 face=3D"sans-serif"> su: Authentication token is no
longer valid; new one required.</font>
<br><font size=3D2 face=3D"sans-serif"> Sorry.</font>
<br><font size=3D2 face=3D"sans-serif"> </font>
<br><font size=3D2 face=3D"sans-serif">On a system where "su" is
the only way to become root, this would</font>
<br><font size=3D2 face=3D"sans-serif">mean a locked out root account. Imag=
ine
a remote system with </font>
<br><font size=3D2 face=3D"sans-serif">sshd configured to "PermitRootL=
ogin
no" and no direct console access.</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Here is my configuration file /etc/p=
am.d/su,
with @includes removed</font>
<br><font size=3D2 face=3D"sans-serif">for clarity:</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> auth sufficient
pam=5Frootok.so</font>
<br><font size=3D2 face=3D"sans-serif"> auth required &=
nbsp;
pam=5Funix.so nullok=5Fsecure</font>
<br><font size=3D2 face=3D"sans-serif"> account required
pam=5Funix.so</font>
<br><font size=3D2 face=3D"sans-serif"> password required &nbs=
p;
pam=5Funix.so use=5Fauthtok nullok</font>
<br><font size=3D2 face=3D"sans-serif"> session required
pam=5Funix.so</font>
<br><font size=3D2 face=3D"sans-serif"> </font>
<br><font size=3D2 face=3D"sans-serif">The expected behaviour would be to i=
mmediately
request the user to</font>
<br><font size=3D2 face=3D"sans-serif">change the password like for the dir=
ect
logins. </font>
<br>
<br><font size=3D2 face=3D"sans-serif">Looking in su.c I found the following
comment:</font>
<br>
<br><font size=3D2 face=3D"sans-serif"> /*</font>
<br><font size=3D2 face=3D"sans-serif"> * Check to see if the a=
ccount
is expired. root gets to ignore any</font>
<br><font size=3D2 face=3D"sans-serif"> * expired accounts, but
normal users can't become a user with an</font>
<br><font size=3D2 face=3D"sans-serif"> * expired password.</fo=
nt>
<br><font size=3D2 face=3D"sans-serif"> */</font>
<br>
<br><font size=3D2 face=3D"sans-serif">IMHO this implementation of su confu=
ses
"expired" (passwd -e user) </font>
<br><font size=3D2 face=3D"sans-serif">and "inactive" (passwd -l
user) passwords. An expired password is not</font>
<br><font size=3D2 face=3D"sans-serif">invalid, it is just marked for an im=
mediate
change. I see no reason </font>
<br><font size=3D2 face=3D"sans-serif">why su should deny access to such an
account.</font>
<br>
<br>
<br>
<br><font size=3D2 face=3D"sans-serif">Regard,</font>
<br><font size=3D2 face=3D"sans-serif"><br>
Mit freundlichen Gr=FC=DFen,<br>
<br>
Volker Westphal<br>
SO NSD Design,Build,Implement&Run<br>
Security Services Financial Customers<br>
IBM Business Services GmbH<br>
... an IBM Global Services Company<br>
--------------------------------------<br>
Wilhelm-Fay-Stra=DFe 30 - 34, 65936 Frankfurt<br>
Tel.: +49 (0) 69/6645-5056<br>
E-Mail: volker.westphal at de.ibm.com</font>
--=_alternative 00290EF1C1257054_=--
---------------------------------------
Received: (at 321384-done) by bugs.debian.org; 26 Sep 2005 18:39:49 +0000
>From bubulle at kheops.frmug.org Mon Sep 26 11:39:49 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EJxtF-0005Ko-00; Mon, 26 Sep 2005 11:39:49 -0700
Received: from localhost (localhost [127.0.0.1])
by kheops.perrier.eu.org (Postfix) with ESMTP id 008CC4FA08;
Mon, 26 Sep 2005 20:39:16 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 17928-04; Mon, 26 Sep 2005 20:39:16 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
by kheops.perrier.eu.org (Postfix) with ESMTP id 0F0CE4FA06;
Mon, 26 Sep 2005 20:39:16 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 1000)
id D92F940A90B; Mon, 26 Sep 2005 20:39:15 +0200 (CEST)
Date: Mon, 26 Sep 2005 20:39:15 +0200
From: Christian Perrier <bubulle at kheops.frmug.org>
To: 325910-done at bugs.debian.org, 321761-done at bugs.debian.org,
155279-done at bugs.debian.org, 202840-done at bugs.debian.org,
287108-done at bugs.debian.org, 321384-done at bugs.debian.org,
91733-done at bugs.debian.org, 95213-done at bugs.debian.org,
260636-done at bugs.debian.org, 320229-done at bugs.debian.org,
323575-done at bugs.debian.org, 323756-done at bugs.debian.org
Subject: Closing bugs formerly fixed in experimental and now fixed in unstable
Message-ID: <20050926183915.GF25812 at djedefre.onera>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Delivered-To: 321384-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 6
Version: 4.0.12-2
All these bugs were already fixed in experimental and should now be
closed with the last upload of 4.0.12-2 in unstable.
--
More information about the Pkg-shadow-devel
mailing list