Debian Bug report logs - #112965
base: cracklib instructions in /etc/pam.d/passwd are incorrect

version graph

Package: libpam-cracklib; Maintainer for libpam-cracklib is Steve Langasek <vorlon@debian.org>; Source for libpam-cracklib is src:pam.

Reported by: Micah <micah@sarai.indymedia.org>

Date: Thu, 20 Sep 2001 20:05:34 UTC

Severity: normal

Merged with 141052

Found in version 0.72-34

Fixed in version pam/0.76-2

Done: Sam Hartman <hartmans@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <debootstrap@packages.debian.org>:
Bug#112965; Package base. Full text and rfc822 format available.

Acknowledgement sent to Micah <micah@sarai.indymedia.org>:
New Bug report received and forwarded. Copy sent to Anthony Towns <debootstrap@packages.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Micah <micah@sarai.indymedia.org>
To: submit@bugs.debian.org
Subject: base: cracklib instructions in /etc/pam.d/passwd are incorrect
Date: Thu, 20 Sep 2001 13:04:09 -0700
Package: base
Version: 20010920
Severity: normal

According to /etc/pam.d/passwd if you install libpam-cracklib and then
modify /etc/pam.d/passwd to uncomment the bottom two lines and comment
out the Password line above then you can use the alternative strength
password checking routines found in cracklib. Unfortunately, when you do
this and then attempt to run passwd you get the following error:

passwd: Critical error - immediate abort

and the password is not changed. In order to restore the system to a usable
state the two lines need to be commented back out and the above password
line uncommented.

-- System Information
Debian Release: 2.2
Kernel Version: Linux sarai 2.2.19 #4 Sat Sep 1 08:29:59 PDT 2001 i686 unknown




Bug reassigned from package `base' to `libpam-cracklib'. Request was from Anthony Towns <aj@azure.humbug.org.au> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Micah <micah@sarai.indymedia.org>:
Bug#112965. Full text and rfc822 format available.

Message #10 received at 112965-submitter@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@mit.edu>
To: 112965-submitter@bugs.debian.org
Subject: Can't reproduce
Date: Sat, 22 Sep 2001 06:35:47 -0400 (EDT)
When I try to use the cracklib lines in /etc/pam.d/passwd, it works
fine for me.  Are you sure you had libpam-cracklib installed?




Reply sent to Sam Hartman <hartmans@mit.edu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micah <micah@sarai.indymedia.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 112965-close@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@mit.edu>
To: 112965-close@bugs.debian.org
Subject: works for me
Date: Mon, 24 Sep 2001 12:26:50 -0400 (EDT)
I cannot reproduce the problem.  If you can still reproduce the
problem please answer the question in my last mail and I'll reopen the
bug.




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Chris <chris@staked.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #20 received at 112965@bugs.debian.org (full text, mbox):

From: Chris <chris@staked.org>
To: 112965@bugs.debian.org
Subject: libpam_cracklib problem
Date: Sat, 20 Oct 2001 05:01:09 -0400 (EDT)
I'm also getting the 

passwd: Critical error - immediate abort

error in sid after installing libpam-cracklib and uncommenting the
necessary lines in /etc/pam.d/passwd

I'm able to login in fine, but I get the error when I try to change the
password (either as root or regular user).  I verified with Hartsman that
libpam-cracklib is apparently installed correctly. 

Systems stats that may or may not be useful:

Kernel 2.2.17
Processor PII 400
Debian Version - Sid





Bug reopened, originator not changed. Request was from Sam Hartman <hartmans@MIT.EDU> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to Sam Hartman <hartmans@debian.org>:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@MIT.EDU>:
Extra info received and forwarded to maintainer. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #27 received at 112965-maintonly@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@MIT.EDU>
To: 112965-maintonly@bugs.debian.org, control@bugs.debian.org
Subject: reopen
Date: Sat, 20 Oct 2001 04:55:55 -0400 (EDT)
reopen 112965
thanks

Someone on IRC reports the same issue.
Still can't reproduce.



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <Christian.Perrier@onera.fr>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #32 received at 112965@bugs.debian.org (full text, mbox):

From: Christian Perrier <Christian.Perrier@onera.fr>
To: 112965@bugs.debian.org
Subject: Bug reproduction
Date: Wed, 14 Nov 2001 10:43:09 +0100
I can also reproduce the bug. At least on potato machines.

One Intel/Potato machine : bug reproduced
One Sparc/Potato machine : bug reproduced
One Intel/Sid machine : bug *not* reproduced


It looks like the bug is in the potato version of libpam-cracklib...

Both potato machines have their sources.list pointing to potato security
updates and are up to date with it.

Feel free to ask for more information if needed, Sam.


-- 
Christian Perrier
ONERA/D├ępartement R├ęseau et Informatique Scientifique
+33 (0) 1 4673 4438 - +33 (0) 6 1016 9480
PGP/GnuPG Key ID 30C9348A (DSS)



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>, pam@packages.qa.debian.org:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Ian Turner <vectro@pipeline.com>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>, pam@packages.qa.debian.org. Full text and rfc822 format available.

Message #37 received at 112965@bugs.debian.org (full text, mbox):

From: Ian Turner <vectro@pipeline.com>
To: Debian Bug Tracking System <112965@bugs.debian.org>
Subject: libpam-cracklib: WORKSFORME
Date: Sat, 02 Feb 2002 11:17:31 -0800
Package: libpam-cracklib
Version: 0.72-34

I did the proper commenting, and it worked fine. Did you change
/etc/pam.d/login and /etc/pam.d/passwd?

Seems to me, though, that this should be taken care of by the postinst
script for libpam-cracklib.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux crafter 2.4.17 #2 Sun Jan 20 14:35:37 PST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages libpam-cracklib depends on:
ii  cracklib-runtime              2.7-8.5    A pro-active password checker libr
ii  cracklib2                     2.7-8.5    A pro-active password checker libr
ii  libc6                         2.2.4-7    GNU C Library: Shared libraries an
ii  libpam0g                      0.72-34    Pluggable Authentication Modules l




Information forwarded to pam@packages.qa.debian.org:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@MIT.EDU>:
Extra info received and filed, but not forwarded. Copy sent to pam@packages.qa.debian.org. Full text and rfc822 format available.

Message #42 received at 112965-quiet@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@MIT.EDU>
To: Ian Turner <vectro@pipeline.com>, 112965-quiet@bugs.debian.org
Subject: Re: Bug#112965: libpam-cracklib: WORKSFORME
Date: 03 Feb 2002 17:58:40 -0500
>>>>> "Ian" == Ian Turner <vectro@pipeline.com> writes:


    Ian> Seems to me, though, that this should be taken care of by the
    Ian> postinst script for libpam-cracklib.

No, certainly not.  At least not for /etc/pam.d/login which is a
conffile in the shadow package.  It being a conffile means no install
scripts can modify it; it being in the shadow package means it would
be a grave sin for pam to touch it.

This works for me too, but I've gotten two independent reports that it
doesn't so I'm not really sure what to do with the bug.




Information forwarded to pam@packages.qa.debian.org:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Ian Turner <vectro@pipeline.com>:
Extra info received and filed, but not forwarded. Copy sent to pam@packages.qa.debian.org. Full text and rfc822 format available.

Message #47 received at 112965-quiet@bugs.debian.org (full text, mbox):

From: Ian Turner <vectro@pipeline.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: 112965-quiet@bugs.debian.org
Subject: Re: Bug#112965: libpam-cracklib: WORKSFORME
Date: Sun, 3 Feb 2002 15:07:43 -0800
>     Ian> Seems to me, though, that this should be taken care of by the
>     Ian> postinst script for libpam-cracklib.
> 
> No, certainly not.  At least not for /etc/pam.d/login which is a
> conffile in the shadow package.  It being a conffile means no install
> scripts can modify it; it being in the shadow package means it would
> be a grave sin for pam to touch it.

Hrm. Well, I think I agree from a policy standpoint. Nonetheless, from a
user perspective, installing libpam-cracklib ought to enable cracklib
authentication somehow.

I don't know much about dpkg. Would it be possible for the pam package
to notice the installation of libpam-cracklib, and run debconf again?

Ian



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>, pam@packages.qa.debian.org:
Bug#112965; Package libpam-cracklib. Full text and rfc822 format available.

Acknowledgement sent to Olaf Meeuwissen <olaf@epkowa.co.jp>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>, pam@packages.qa.debian.org. Full text and rfc822 format available.

Message #52 received at 112965@bugs.debian.org (full text, mbox):

From: Olaf Meeuwissen <olaf@epkowa.co.jp>
To: 112965@bugs.debian.org
Subject: base: cracklib instructions in /etc/pam.d/passwd are incorrect
Date: 28 Feb 2002 17:32:19 +0900
I see you could use some feedback.  Ran into the same problem. Just
installing libpam-cracklib and uncommenting is not enough.  BTW, I'm
running woody.

When you switch to using cracklib for the password module type, you
need to make sure you have a dictionary that it can check against.
You'll need to install one _and_ seed cracklib with it.  If you don't,
you can not change your password and get

  passwd: Critical error - immediate abort

Dictionaries are provided by any package that provides the virtual
"wordlist" package.  Hence, I think libpam-cracklib should depend on
it (or at least recommend it).

Seeding the cracklib dictionary can be achieved by running the
/etc/cron.daily/cracklib script.

So to get this working out of the box, libpam-cracklib needs to pull
in a wordlist package, make sure cracklib-runtime is installed (and
configured?) and run that cron script in its postinst.

BTW, the cron script happily runs *without* a wordlist package
installed.

I guess all those folks not able to reproduce this had a wordlist
installed and the cron job ran before they changed to using cracklib
with PAM and tried it out.

Hope this helps,
-- 
Olaf Meeuwissen                            Epson Kowa Corporation, CID
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH



Merged 112965 141052. Request was from hartmans@mit.edu (Sam Hartman) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micah <micah@sarai.indymedia.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #59 received at 112965-close@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: 112965-close@bugs.debian.org
Subject: Bug#112965: fixed in pam 0.76-2
Date: Sun, 06 Oct 2002 20:17:18 -0400
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.76-2_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.76-2_i386.deb
libpam-doc_0.76-2_all.deb
  to pool/main/p/pam/libpam-doc_0.76-2_all.deb
libpam-modules_0.76-2_i386.deb
  to pool/main/p/pam/libpam-modules_0.76-2_i386.deb
libpam-runtime_0.76-2_all.deb
  to pool/main/p/pam/libpam-runtime_0.76-2_all.deb
libpam0g-dev_0.76-2_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.76-2_i386.deb
libpam0g_0.76-2_i386.deb
  to pool/main/p/pam/libpam0g_0.76-2_i386.deb
pam_0.76-2.diff.gz
  to pool/main/p/pam/pam_0.76-2.diff.gz
pam_0.76-2.dsc
  to pool/main/p/pam/pam_0.76-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 112965@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  6 Oct 2002 18:52:13 -0400
Source: pam
Binary: libpam-runtime libpam-modules libpam-cracklib libpam0g-dev libpam-doc libpam0g
Architecture: source i386 all
Version: 0.76-2
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support.
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 112965 162175
Changes: 
 pam (0.76-2) unstable; urgency=low
 .
   * Link against appropriate libraries so we find  the symbols we need,
     Closes: #162175
   * The if everyone's going to complain when I upload broken software to
     experimental release, I might as well upload to unstable and give them
     something worth actually complaining about release.
   * Also the remove the scourge of dbs release
   * Include patch 034 from the 0.72 packages, meaning that we've included
     all the patches we need before release
   * Reject the patch to pam_wheel as I cannot find out what reasonable
     thing it was trying to do and it seemed broken
   * libpam-cracklib should depend on wordlist  so it actually works;
     thanks Olaf Meeuwissen,
     Closes: #112965
   * Merge build-depends and build-depends-indep because I'm a bad person
     and was too lazy to make docs build in a separate pass.  I'll deal in
     a few versions.
Files: 
 51fa0151691719dffa3959db20ec5cc4 732 base optional pam_0.76-2.dsc
 05fccae5c44f358170b25530dac94566 81626 base optional pam_0.76-2.diff.gz
 6c30615138138005a56437d5a2c3d310 53836 base required libpam-runtime_0.76-2_all.deb
 7a7bdbf31934f4d290ca7b5f6db07388 651662 doc optional libpam-doc_0.76-2_all.deb
 9743ae625efebbb0187684a9981b989e 124024 base required libpam0g_0.76-2_i386.deb
 0721719dcb707d5a46501675435662f6 487876 base required libpam-modules_0.76-2_i386.deb
 f5a227e8b2e7415924425da726d75f91 230346 devel optional libpam0g-dev_0.76-2_i386.deb
 0d407c8386f7aa448a83d7510809224a 64556 libs optional libpam-cracklib_0.76-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9oNDj/I12czyGJg8RAstGAJ9oNIMp8QUmvIipD4KDhsDMmjxeRgCdG4pE
2EVUjO6gFNRUbrx4refveFU=
=i5SK
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 01:49:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.