[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#557004: marked as done (pam forces to change password if modification were done on day 0)

Your message dated Fri, 18 Feb 2011 19:18:23 +0100
with message-id <20110218181823.GR3541@mykerinos.kheops.frmug.org>
and subject line Bug fixed by fix for #548128
has caused the Debian Bug report #557004,
regarding pam forces to change password if modification were done on day 0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
557004: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557004
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: pam
Version: 1.0.1-5+lenny1

A quote from the shadow man page:
| date of last password change
|     The date of the last password change, expressed as the number of
|     days since Jan 1, 1970.
|
|     The value 0 has a special meaning, which is that the user should
|     change her pasword the next time she will log in the system.
|
|     An empty field means that password aging features are disabled.

Now: If the system clock isn't set (no or broken rtc) than this field
becomes 0.
If you choose category desktop in tasksel / D-I than this will fail
later:
|Jan  1 00:38:20 in-target: Setting up avahi-daemon (0.6.23-3lenny1) ...
|Jan  1 00:38:21 groupadd[22520]: new group: name=avahi, GID=109
|Jan  1 00:38:21 useradd[22524]: new user: name=avahi, UID=104, GID=109, home=/var/run/avahi-daemon, shell=/bin/false
|Jan  1 00:38:21 usermod[22529]: change user `avahi' password
|Jan  1 00:38:21 chage[22534]: changed password expiry for avahi
|Jan  1 00:38:21 chfn[22537]: pam_unix(chfn:account): expired password for user root (root enforced)
|Jan  1 00:38:21 in-target: You are required to change your password immediately (root enforced)
|Jan  1 00:38:21 in-target: chfn: PAM authentication failed
|Jan  1 00:38:21 in-target: adduser: `/usr/bin/chfn -f Avahi mDNS daemon avahi' returned error code 1. Exiting.
|Jan  1 00:38:21 in-target: dpkg: error processing avahi-daemon (--configure):
|Jan  1 00:38:21 in-target:  subprocess post-installation script returned error exit status 1
 
Most packages will be configured properly. Usually this is not a
problem in d-i because clock-setup will update the clock. However if
there is no network available than this will not be done.
My current work around for this rare case is to avoid this check in pam
if we are on day zero. Maybe clock-setup could ask for current time if
we are in the past?

Sebastian

>From a2a339691a2297df67619084a5999cb259ffdea1 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 16 Nov 2009 14:22:39 +0100
Subject: [PATCH] only consider last change field if we not on day zero

If the system date is unset due RTC battery failure for instance or
simply due to the lack of a RTC than an password update fill set the
last update field to 0.
This will force a password update on the next successfull
authentication. This procedure will repeat over and over again.
This workaround will simply skip it. We can't set this to 1 as default
because this breaks than the password will be set in the future.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
 modules/pam_unix/passverify.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

Index: pam-1.0.1/modules/pam_unix/passverify.c
===================================================================
--- pam-1.0.1.orig/modules/pam_unix/passverify.c	2009-11-16 15:38:22.000000000 +0000
+++ pam-1.0.1/modules/pam_unix/passverify.c	2009-11-16 15:39:52.000000000 +0000
@@ -267,7 +267,7 @@
 		D(("account expired"));
 		return PAM_ACCT_EXPIRED;
 	}
-	if (spent->sp_lstchg == 0) {
+	if (spent->sp_lstchg == 0 && curdays) {
 		D(("need a new password"));
 		*daysleft = 0;
 		return PAM_NEW_AUTHTOK_REQD;

--- End Message ---
--- Begin Message --- 
Version: 0.101

This bug is indeed fixed by the fix for 548128 as D-I now sets the
date to the epock if it is found to be before the epoch.

Hence closing.


--

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: