[Pkg-shadow-devel] Bug#1124835: chpasswd hash check goes too far

Marc Haber mh+debian-packages at zugschlus.de
Wed Jan 7 07:45:41 GMT 2026 

Package: passwd
Version: 1:4.19.0-2
Severity: important
File: /usr/sbin/chpasswd

Hi,

it has been for decades a method to disable an account while preserving 
the password to prefix the password hash in /etc/shadow with !. This is 
documented in shadow(5):

|       encrypted password
|           If the password field is empty, the user can log in without a
|           password. However, some applications that read the /etc/shadow file
|           might block access if the password field is empty.
|
|           If the password field begins with an exclamation mark !, the
|           password is locked. The remaining characters on the line represent
|           the password field before the password was locked.

chpasswd in shadow 4.19.0 does not allow that any more:

| # echo "aust:\!foobar" | chpasswd --encrypted
| chpasswd: (line 1, user aust) invalid password hash
| chpasswd: error detected, changes ignored

I think this goes too far. Please consider revisiting this check.

(btw, this breaks adduser's future lock/unlock functionality.).

Greetings
Marc

-- System Information:
Debian Release: forky/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.17.13+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages passwd depends on:
ii  base-passwd     3.6.8
ii  libacl1         2.3.2-2+b1
ii  libattr1        1:2.5.2-3
ii  libaudit1       1:4.1.2-1+b1
ii  libbsd0         0.12.2-2
ii  libc6           2.42-7
ii  libcrypt1       1:4.5.1-1
ii  libpam-modules  1.7.0-5
ii  libpam0g        1.7.0-5
ii  libselinux1     3.9-4+b1
ii  libsemanage2    3.9-1+b1
ii  login.defs      1:4.18.0-2

Versions of packages passwd recommends:
ii  sensible-utils  0.0.26

passwd suggests no packages.

-- no debconf information

More information about the Pkg-shadow-devel mailing list