[Pkg-shadow-devel] Bug#525153: Bug#525153: Please support passwd --stdin

Michael Gebetsroither gebi at sbox.tugraz.at
Mon Apr 27 00:42:43 UTC 2009


Nicolas François wrote:

>> Please support reading passwords from stdin in passwd (restricted to
>> root only).
> 
> What would be the use case for this?

To set the password from scripts.

Currently all admins i know of use expect arround passwd as it's the
only sane way to do this. (either because of another password backend as
/etc/shadow or special password configs from pam).

> Isn't it what chpasswd already do?

Chpasswd writes to shadow directly.
It bypasses all restrictions and configuration from common-password. Eg.
hash (md5, sha256, sha512) and number of rounds.

>> It's a bit related to #505640 imho, but instead of all the quirks to get
>> the encrypted password back from pam just depend on the right
>> pam.d/common-password. Pipe the unencrypted password to passwd and
>> let pam do his job.
> 
> This will require the same quirks.
> 
> Pam is just simply not ready to receive the password at any time. The
> password might just be dropped from stdin before it even tries to read it.
>
> A conversation function is needed to communicate with PAM.

Stdin conversation function from passwd-0.76-2.fc11.src.rpm below:

/* A conversation function which uses an internally-stored value for
 * the responses. */
static int
stdin_conv(int num_msg, const struct pam_message **msgm,
       struct pam_response **response, void *appdata_ptr)
{
    struct pam_response *reply;
    int count;

    /* Sanity test. */
    if (num_msg <= 0) {
        return PAM_CONV_ERR;
    }

    /* Allocate memory for the responses. */
    reply = calloc(num_msg, sizeof(struct pam_response));
    if (reply == NULL) {
        return PAM_CONV_ERR;
    }

    /* Each prompt elicits the same response. */
    for (count = 0; count < num_msg; ++count) {
        if (msgm[count]->msg_style == PAM_PROMPT_ECHO_OFF) {
            reply[count].resp_retcode = 0;
            reply[count].resp = strdup(appdata_ptr);
        } else {
            reply[count].resp_retcode = 0;
            reply[count].resp = strdup("");
        }
    }

    /* Set the pointers in the response structure and return. */
    *response = reply;
    return PAM_SUCCESS;
}

michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20090427/0eb50d7f/attachment.pgp>


More information about the Pkg-shadow-devel mailing list