[Pkg-shadow-devel] --keep-tokens "not working as expected"

Serge Hallyn serge.hallyn at ubuntu.com
Tue Sep 2 14:34:32 UTC 2014

Quoting lev abalkin (lev.abalkin at insiberia.net):
> Hello there!
> Have the following problem(s) with the `--keep-tokens` option of
> `passwd` I found some hints that other people seem to have to:
> Problem
> -----------
> # trying to set a new password with or without the `--keep-tokens`
> option isn't possible - as expected
> # I've tried this both as root and as user to whom the account |
> password belongs: As expected, `root` changes the password no matter what

Hm, the behavior I see is that as root is that 'passwd -k someuser'
simply asks for their current password, whereas without -k it
doesn't ask for the current password.

So this certainly seems like a bug.  Yet looking at the code
(passwd.c:check_password), it does the right thing.

Ah, here we go.  The check_password() function is only compiled if
#USE_PAM.  So this behavior is now driven by pam.  I don't know
the relationship here well enough to know whether 'password expiry'
info has to come from pam if #USE_PAM.  If not, then shadow could
fix this by always checking expiry if -k is passed, and exiting
early if not expired.

> Question:
> -------------
> I wonder what the actual use of the `--keep-tokens` option might be. I
> read the info page both in English and my mothertounge as "don't change
> passwords if not expired", which it should anyway, I guess. This two
> posts describe the same problem:
> https://unix.stackexchange.com/questions/152690/understanding-passwd-keep-tokens/152724#152724
> https://bbs.archlinux.org/viewtopic.php?id=50649
> Thanks for the good work on `passwd`and thanks in advance for all your
> efforts!
> All the best
> Lev
> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel

More information about the Pkg-shadow-devel mailing list