Your message dated Fri, 18 Feb 2011 19:18:23 +0100 with message-id <20110218181823.GR3541@mykerinos.kheops.frmug.org> and subject line Bug fixed by fix for #548128 has caused the Debian Bug report #557004, regarding pam forces to change password if modification were done on day 0 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 557004: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557004 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: pam forces to change password if modification were done on day 0
- From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Date: Wed, 18 Nov 2009 22:51:05 +0100
- Message-id: <20091118215105.GA29388@Chamillionaire.breakpoint.cc>
Package: pam Version: 1.0.1-5+lenny1 A quote from the shadow man page: | date of last password change | The date of the last password change, expressed as the number of | days since Jan 1, 1970. | | The value 0 has a special meaning, which is that the user should | change her pasword the next time she will log in the system. | | An empty field means that password aging features are disabled. Now: If the system clock isn't set (no or broken rtc) than this field becomes 0. If you choose category desktop in tasksel / D-I than this will fail later: |Jan 1 00:38:20 in-target: Setting up avahi-daemon (0.6.23-3lenny1) ... |Jan 1 00:38:21 groupadd[22520]: new group: name=avahi, GID=109 |Jan 1 00:38:21 useradd[22524]: new user: name=avahi, UID=104, GID=109, home=/var/run/avahi-daemon, shell=/bin/false |Jan 1 00:38:21 usermod[22529]: change user `avahi' password |Jan 1 00:38:21 chage[22534]: changed password expiry for avahi |Jan 1 00:38:21 chfn[22537]: pam_unix(chfn:account): expired password for user root (root enforced) |Jan 1 00:38:21 in-target: You are required to change your password immediately (root enforced) |Jan 1 00:38:21 in-target: chfn: PAM authentication failed |Jan 1 00:38:21 in-target: adduser: `/usr/bin/chfn -f Avahi mDNS daemon avahi' returned error code 1. Exiting. |Jan 1 00:38:21 in-target: dpkg: error processing avahi-daemon (--configure): |Jan 1 00:38:21 in-target: subprocess post-installation script returned error exit status 1 Most packages will be configured properly. Usually this is not a problem in d-i because clock-setup will update the clock. However if there is no network available than this will not be done. My current work around for this rare case is to avoid this check in pam if we are on day zero. Maybe clock-setup could ask for current time if we are in the past? Sebastian>From a2a339691a2297df67619084a5999cb259ffdea1 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Date: Mon, 16 Nov 2009 14:22:39 +0100 Subject: [PATCH] only consider last change field if we not on day zero If the system date is unset due RTC battery failure for instance or simply due to the lack of a RTC than an password update fill set the last update field to 0. This will force a password update on the next successfull authentication. This procedure will repeat over and over again. This workaround will simply skip it. We can't set this to 1 as default because this breaks than the password will be set in the future. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> --- modules/pam_unix/passverify.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Index: pam-1.0.1/modules/pam_unix/passverify.c =================================================================== --- pam-1.0.1.orig/modules/pam_unix/passverify.c 2009-11-16 15:38:22.000000000 +0000 +++ pam-1.0.1/modules/pam_unix/passverify.c 2009-11-16 15:39:52.000000000 +0000 @@ -267,7 +267,7 @@ D(("account expired")); return PAM_ACCT_EXPIRED; } - if (spent->sp_lstchg == 0) { + if (spent->sp_lstchg == 0 && curdays) { D(("need a new password")); *daysleft = 0; return PAM_NEW_AUTHTOK_REQD;
--- End Message ---
--- Begin Message ---
- To: 557004-done@bugs.debian.org
- Subject: Bug fixed by fix for #548128
- From: Christian PERRIER <bubulle@debian.org>
- Date: Fri, 18 Feb 2011 19:18:23 +0100
- Message-id: <20110218181823.GR3541@mykerinos.kheops.frmug.org>
Version: 0.101 This bug is indeed fixed by the fix for 548128 as D-I now sets the date to the epock if it is found to be before the epoch. Hence closing. --Attachment: signature.asc
Description: Digital signature
--- End Message ---