Debian Bug report logs - #482553
ldm: password change doesn't work

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "John S. Skogtvedt" <jss@bzz.no>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ldm: password change doesn't work

Date: Fri, 23 May 2008 15:59:18 +0200

[Message part 1 (text/plain, inline)]

Package: ldm
Version: 2:2.0.3-1~40.etch.0
Severity: normal


When trying to log in as a user with an expired password,
I experienced the following problems:

1) ldm first prompted for new password, and then prompted again (to confirm).
  After that it got stuck - I could enter text, but nothing happened.
2) ldm doesn't check if the new password is equal to the old password.
  If it is, then the password won't be succesfully changed.
3) (with 1 and 2 fixed) ldm incorrectly zeros the password,
  so that the user has to enter the new password again to log in after
  a password change.

I have attached a patch which should fix these problems.

Steps to reproduce:
1) Expire a users password on the server.
2) Attempt to log in as the user with ldm.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-486
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)

Versions of packages ldm depends on:
ii  gtk2-engines [gtk2-eng 1:2.8.2-1         theme engines for GTK+ 2.x
ii  gtk2-engines-clearlook 1:2.8.2-1         Clearlooks GTK+ 2.x engine and the
ii  libatk1.0-0            1.12.4-3          The ATK accessibility toolkit
ii  libc6                  2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii  libcairo2              1.2.4-4.1+etch1   The Cairo 2D vector graphics libra
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libglib2.0-0           2.12.4-2          The GLib library of C routines
ii  libgtk2.0-0            2.8.20-7          The GTK+ graphical user interface 
ii  libpango1.0-0          1.14.8-5          Layout and rendering of internatio
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxcursor1            1.1.7-4           X cursor management library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxfixes3             1:4.0.1-5         X11 miscellaneous 'fixes' extensio
ii  libxi6                 1:1.0.1-4         X11 Input extension library
ii  libxinerama1           1:1.0.1-4.1       X11 Xinerama extension library
ii  libxrandr2             2:1.1.0.2-5       X11 RandR extension library
ii  libxrender1            1:0.9.1-3         X Rendering Extension client libra
ii  openssh-client         1:4.3p2-9etch2    Secure shell client, an rlogin/rsh
ii  xserver-xorg           1:7.1.0-19        the X.Org X server
ii  xserver-xorg-core [xse 2:1.1.1-21etch4   X.Org X server -- core server

Versions of packages ldm recommends:
ii  netcat                        1.10-32    TCP/IP swiss army knife

-- no debconf information

[ldm-2.0.3-pwchange.diff (text/x-c, attachment)]

Message #10 received at 482553@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: "John S. Skogtvedt" <jss@bzz.no>, 482553@bugs.debian.org

Subject: Re: Bug#482553: ldm: password change doesn't work

Date: Thu, 29 May 2008 23:23:46 -0700

found 482553 2:2.0.5-1
thanks

On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote:
> When trying to log in as a user with an expired password,
> I experienced the following problems:
> 
> 1) ldm first prompted for new password, and then prompted again (to confirm).
>   After that it got stuck - I could enter text, but nothing happened.
> 2) ldm doesn't check if the new password is equal to the old password.
>   If it is, then the password won't be succesfully changed.
> 3) (with 1 and 2 fixed) ldm incorrectly zeros the password,
>   so that the user has to enter the new password again to log in after
>   a password change.
> 
> I have attached a patch which should fix these problems.

thanks for the patch, i tested it and it seems to address the issues
mentioned.

unfortunately additional checks, possibly not present on etch, also
cause it to hang at the verifying password phase.  two that i found were
if the password is too similar to the previous password or if the
password is too short- these are likely common issues as well. i suspect
there are more.

the good news is that this part of ldm is currently being discussed by
ltsp developers, as it's totally broken for opensuse and gentoo's
password expiry, as they have totally different text.

live well,
  vagrant

Message #17 received at 482553@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: "John S. Skogtvedt" <jss@bzz.no>, 482553@bugs.debian.org

Subject: Re: Bug#482553: ldm: password change doesn't work

Date: Fri, 30 May 2008 22:41:40 -0700

On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote:
> When trying to log in as a user with an expired password,
> I experienced the following problems:
...snip... 
> I have attached a patch which should fix these problems.

applied your patch to the version just uploaded to unstable, even though
there are still likely cases where it will hang. i didn't close the bug
since there are outstanding issues.

i am curious if this line is a good idea, though:

@@ -256,7 +261,6 @@

     seen = expect(fd, 30.0, "updated successfully", NULL);
     if (seen == 1) {
-        bzero(ldminfo.password, sizeof ldminfo.password);
         return 2;
     }

by removing that line, is it leaving the password sitting in memory?

live well,
  vagrant

Message #22 received at 482553@bugs.debian.org (full text, mbox, reply):

From: "John S. Skogtvedt" <jss2k2@getmail.no>

To: 482553@bugs.debian.org

Subject: Re: Bug#482553: ldm: password change doesn't work

Date: Thu, 05 Jun 2008 11:50:46 +0200

Vagrant Cascadian skrev:
> On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote:
>> When trying to log in as a user with an expired password,
>> I experienced the following problems:
> ...snip... 
>> I have attached a patch which should fix these problems.
> 
> applied your patch to the version just uploaded to unstable, even though
> there are still likely cases where it will hang. i didn't close the bug
> since there are outstanding issues.
> 
> i am curious if this line is a good idea, though:
> 
> @@ -256,7 +261,6 @@
> 
>      seen = expect(fd, 30.0, "updated successfully", NULL);
>      if (seen == 1) {
> -        bzero(ldminfo.password, sizeof ldminfo.password);
>          return 2;
>      }
> 
> by removing that line, is it leaving the password sitting in memory?
> 
> live well,
>   vagrant
> 

Zeroing the password there means that the user has to enter the password
a third time to be able to log in (and ldm doesn't give proper feedback).

It shouldn't be a problem, because the password is zeroed in main().

Message #27 received at 482553-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: 482553-close@bugs.debian.org

Subject: Bug#482553: fixed in ldm 2:2.0.9-1

Date: Wed, 06 Aug 2008 23:32:03 +0000

Source: ldm
Source-Version: 2:2.0.9-1

We believe that the bug you reported is fixed in the latest version of
ldm, which is due to be installed in the Debian FTP archive:

ldm_2.0.9-1.diff.gz
  to pool/main/l/ldm/ldm_2.0.9-1.diff.gz
ldm_2.0.9-1.dsc
  to pool/main/l/ldm/ldm_2.0.9-1.dsc
ldm_2.0.9-1_i386.deb
  to pool/main/l/ldm/ldm_2.0.9-1_i386.deb
ldm_2.0.9.orig.tar.gz
  to pool/main/l/ldm/ldm_2.0.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 482553@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@freegeek.org> (supplier of updated ldm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Aug 2008 16:07:50 -0700
Source: ldm
Binary: ldm
Architecture: source i386
Version: 2:2.0.9-1
Distribution: experimental
Urgency: low
Maintainer: LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@freegeek.org>
Description: 
 ldm        - LTSP display manager
Closes: 482553 490897
Changes: 
 ldm (2:2.0.9-1) experimental; urgency=low
 .
   * new upstream version:
     - cleaner handling of ssh interaction:
       + fixes tcsh logins (Closes: #490897)
       + fixes password expiry (Closes: #482553)
   * updated standards-version to 3.8.0, no changes needed.
Checksums-Sha1: 
 cc6c7259d7ad38a3c21de42560805ff17ede54c1 1388 ldm_2.0.9-1.dsc
 58d75dc6732365e66516333cbe6299148432357a 367735 ldm_2.0.9.orig.tar.gz
 1c06fb57c51ec2fd24a86245ecde3ea7e82ccb03 6556 ldm_2.0.9-1.diff.gz
 dd282662216933c810661bc149157deaf257cf83 156146 ldm_2.0.9-1_i386.deb
Checksums-Sha256: 
 f4e48cf7196b250504d5e90d76ac191afac89a34c34aa3e5461216f8cb60b335 1388 ldm_2.0.9-1.dsc
 07b35f596136ff6b6c634d4e4b62b0ede00b6b8018c9f0534c28b9375a614ed3 367735 ldm_2.0.9.orig.tar.gz
 1409d6526ee5b29bc8f6aa0d053cb868dcbf948992744db5a4cf4d9b4715d1d3 6556 ldm_2.0.9-1.diff.gz
 5cd80f9a1b8deaec79799e0d8517a8fa7cbe7a3e73f78906f1d9f3506af500e8 156146 ldm_2.0.9-1_i386.deb
Files: 
 f9e949a8e913e861f19dedf3380b4d89 1388 misc extra ldm_2.0.9-1.dsc
 1d7e08d6a46b821c0a0be4c777d99678 367735 misc extra ldm_2.0.9.orig.tar.gz
 c3df2864dd4525b034c43f109f78b084 6556 misc extra ldm_2.0.9-1.diff.gz
 0916ebb571655605e9d0a47a43e4182a 156146 misc extra ldm_2.0.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiaM3wACgkQlPc63BPWGpnj7wCeNXcxzUw0HV0qa0+R0Ctg0JRf
ZpgAniOlAgBLwsfAheDAzkLp3yIgvHbF
=hmr4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.