Debian Bug report logs - #115380
[PROPOSED UPSTREAM PATCH] In passwd(1), do not suggest that bad passwords are checked after 1st entry

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Silas S. Brown <ssb22@cam.ac.uk>

To: submit@bugs.debian.org

Subject: passwd: Prompts twice before rejecting bad passwords

Date: Fri, 12 Oct 2001 17:36:02 +0100

Package: passwd
Version: 20000902-7
Severity: normal

The manual page of passwd says that bad passwords (e.g. not complex
enough) are rejected, and that, if a password gets through that check,
the user is prompted again (for verification).  What actually happens
is that the user is prompted twice anyway, before the check for bad
passwords is made.  This can be annoying because the user has to type
the password twice only to discover it is bad.

-- System Information
Debian Release: testing/unstable
Kernel Version: Linux ssb22 2.4.9 #2 Sat Sep 15 21:02:01 BST 2001 i686 unknown

Versions of the packages passwd depends on:
ii  libc6          2.2.4-1        GNU C Library: Shared libraries and Timezone
ii  libpam0g       0.72-32        Pluggable Authentication Modules library
ii  libpam-modules 0.72-31        Pluggable Authentication Modules for PAM
ii  login          20000902-7     System login tools

--- Begin /etc/shells (modified conffile)
/bin/ash
/bin/bash
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/usr/bin/zsh
/bin/sash
/bin/zsh
/usr/bin/esh
/bin/xemacs

--- End /etc/shells

Message #14 received at 115380@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 115380@bugs.debian.org

Cc: Tomasz Kłoczko <kloczek@zie.pg.gda.pl>, control@bugs.debian.org

Subject: Better bug description

Date: Mon, 4 Apr 2005 23:50:55 +0200

tags 115380 upstream confirmed
severity 115380 minor
retitle 115380 [POST SARGE] In passwd(1), do not suggest that bad passwords are checked after 1st entry
forwarded Tomasz Kłoczko <kloczek@zie.pg.gda.pl>
thanks

(passwd: Prompts twice before rejecting bad passwords)

The bug log (http://bugs.debian.org/115380) shows that changing PAM to
reject after the first password entry is not likely.

Sam Hartman correctly suggested to adapt passwd man page and not have
it suggest that "bad" password are rejected after the first entry, but
only after the second.

Tomasz, are you OK with that ?

-- 

Message #29 received at 115380@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 115380@bugs.debian.org, Tomasz Kłoczko <kloczek@zie.pg.gda.pl>

Subject: Patch for passwd man page (Debian bug #115380)

Date: Mon, 12 Sep 2005 18:28:10 +0200

[Message part 1 (text/plain, inline)]

tags 115380 patch
thanks

In http://bugs.debian.org/115380, the user complains that the reject
of "bad" passwords only happens after the password has bene confirmed.

Analysis showed that changing this is not easy, but also that the
passwd(1) man page is misleading about this, suggesting that the
password strength check happens before the confirmation.

The attached patch (for upstream man page) corrects the man page with
that matter.

Tomasz, could you consider applying it to your CVS ?


-- 

[passwd.1.diff (text/plain, attachment)]

Message #38 received at 115380-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 115380-close@bugs.debian.org

Subject: Bug#115380: fixed in shadow 1:4.0.13-1

Date: Thu, 13 Oct 2005 11:32:07 -0700

Source: shadow
Source-Version: 1:4.0.13-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.13-1_i386.deb
  to pool/main/s/shadow/login_4.0.13-1_i386.deb
passwd_4.0.13-1_i386.deb
  to pool/main/s/shadow/passwd_4.0.13-1_i386.deb
shadow_4.0.13-1.diff.gz
  to pool/main/s/shadow/shadow_4.0.13-1.diff.gz
shadow_4.0.13-1.dsc
  to pool/main/s/shadow/shadow_4.0.13-1.dsc
shadow_4.0.13.orig.tar.gz
  to pool/main/s/shadow/shadow_4.0.13.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 115380@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Oct 2005 23:15:47 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.13-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 89902 115380 146779 208514 249372 265613 268656 269573 275343 282822 293171 300892 304343 304352 325558 325773 330630 330855 331487 331487 332711
Changes: 
 shadow (1:4.0.13-1) unstable; urgency=low
 .
   * The "Maroilles" release
   * New upstream version:
     Debian bugs fixed by the new upstream version:
     - faillog: Do not oversimplify the date of the last unsuccessful login
       Closes: #89902
     - login.1: also mention securetty(5). Closes: #325773
     - chfn.1, chsh.1, groupadd.8, newusers.8, pwconv.8
       useradd.8, userdel.8, usermod.8:
       Improved crossreferences with other manpages
       Closes: #300892
     - newgrp.1:
       Improved documentation of how group passwords work
       Closes: #325558
     - passwd.c:
       The usage line is no more too terse
       Closes: #146779
   * Patches to upstream man pages, not yet applied upstream:
     - debian/patches/452_doc_password_check_order:
       Document the order for checking the password strength
       Closes: #115380
   * Debian packaging fixes:
     - debian/login.su.pam:
       - pam_wheel example moved after pam_rootok in config.
         Also documents that with 'pam_wheel.so group=foo', root may need to
         be in the foo group. Closes: #330630, #330855
       - pam_env turned to be used as a session module which it is designed
         to be. Thanks to Steinar H. Gunderson who pointed this out and
         Steve Langasek and Andrew Suffield who suggested the right solution.
     - debian/control:
       - manpages-es-extra: versioned Replaces as the man pages have now been
                            removed
       - manpages-de:       versioned Replaces as the man pages have now been
                            removed
       - manpages-hu:       versioned Replaces as the man pages have now been
                            removed
     - debian/rules:
       - pack upstream's NEWS file into login and passwd. Closes: #331487
       - pack login.defs and its manpages into "passwd" instead of "login"
         package for the Hurd platform. Closes: #249372
       - copy upstream's changelog. Closes: #331487
     - debian/passwd.config, debian/passwd.templates:
       - allow preseeding the root (and user) password with a MD5 hash
         Closes: #275343, #304352
         Thanks to Colin Watson for the Ubuntu patch
       - the above also allows preseeding a disabled password for root
         Closes: #304343
       - add passwd/user-uid template, which can be preseeded to force the
         initial user to have a certain uid.
         Thanks to Colin Watson for the Ubuntu patch
       - allow hyphens in username
         Thanks to Colin Watson for the Ubuntu patch (Ubuntu #15721)
     - debian/login.defs:
       - document the obsoleted by PAM ENV_HZ variable. Closes: #265613
       - better document the real use of USERGROUPS_ENAB. Closes: #282822
     - debian/add-shell, debian/remove-shell, debian/add-shell.8,
       debian/remove-shell.8:
       - utilities moved to debianutils. Add a versioned "Depends" line on
         debianutils so that passwd cannot be upgraded when the new
         debianutils version including these utilities isn't available
         Closes: #208514, #268656, #269573, #293171
   * Debconf translation updates:
     - Swedish updated. Closes: #332711
Files: 
 261cbca719b22a396d2c38eab21e0f5b 867 admin required shadow_4.0.13-1.dsc
 034fab52e187e63cb52f153bb7f304c8 1622557 admin required shadow_4.0.13.orig.tar.gz
 3faf38ca58e4a594721f1068735ce920 181776 admin required shadow_4.0.13-1.diff.gz
 15e4ec0f57bdaf06bb3170d4de13867a 599276 admin required passwd_4.0.13-1_i386.deb
 087d22baecf6ef53ef8fb5e6d51564c1 560910 admin required login_4.0.13-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDTYDJ1OXtrMAUPS0RAvF5AJ49RdbhnKwV5mp6f+NY88B0/PzDyQCgpjoX
Jkjuz7tmFAhUmVxGJPtloRQ=
=9SLM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.