Debian Bug report logs - #525153
Please support passwd --stdin

version graph

Package: passwd; Maintainer for passwd is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for passwd is src:shadow.

Reported by: Michael Gebetsroither <gebi@grml.org>

Date: Wed, 22 Apr 2009 14:54:04 UTC

Severity: wishlist

Found in version shadow/1:4.1.3.1-1

Fixed in version shadow/1:4.1.4-1

Done: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#525153; Package passwd. (Wed, 22 Apr 2009 14:54:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gebetsroither <gebi@grml.org>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Wed, 22 Apr 2009 14:54:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gebetsroither <gebi@grml.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Please support passwd --stdin
Date: Wed, 22 Apr 2009 16:45:31 +0200
Package: passwd
Version: 1:4.1.3.1-1
Severity: wishlist

Hi,

Please support reading passwords from stdin in passwd (restricted to
root only).

It's a bit related to #505640 imho, but instead of all the quirks to get
the encrypted password back from pam just depend on the right
pam.d/common-password. Pipe the unencrypted password to passwd and
let pam do his job.

The current method is to use passwd with expect but the solution is
quite slow, so passwd --stdin would be preferable.

michael
-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23-grml64 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.iso885915, LC_CTYPE=en_US.iso885915 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages passwd depends on:
ii  debianutils                   2.23.1     Miscellaneous utilities specific t
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libpam-modules                1.0.1-5    Pluggable Authentication Modules f
ii  libpam0g                      0.99.7.1-3 Pluggable Authentication Modules l
ii  libselinux1                   2.0.59-1   SELinux shared libraries

passwd recommends no packages.

passwd suggests no packages.

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#525153; Package passwd. (Sun, 26 Apr 2009 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 26 Apr 2009 17:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 525153@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Michael Gebetsroither <gebi@grml.org>, 525153@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#525153: Please support passwd --stdin
Date: Sun, 26 Apr 2009 19:17:50 +0200
On Wed, Apr 22, 2009 at 04:45:31PM +0200, gebi@grml.org wrote:
> Package: passwd
> Version: 1:4.1.3.1-1
> Severity: wishlist
> 
> Hi,
> 
> Please support reading passwords from stdin in passwd (restricted to
> root only).

What would be the use case for this?

Isn't it what chpasswd already do?

> It's a bit related to #505640 imho, but instead of all the quirks to get
> the encrypted password back from pam just depend on the right
> pam.d/common-password. Pipe the unencrypted password to passwd and
> let pam do his job.

This will require the same quirks.

Pam is just simply not ready to receive the password at any time. The
password might just be dropped from stdin before it even tries to read it.

A conversation function is needed to communicate with PAM.

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#525153; Package passwd. (Mon, 27 Apr 2009 00:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gebetsroither <gebi@sbox.tugraz.at>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 27 Apr 2009 00:45:02 GMT) Full text and rfc822 format available.

Message #15 received at 525153@bugs.debian.org (full text, mbox):

From: Michael Gebetsroither <gebi@sbox.tugraz.at>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 525153@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#525153: Please support passwd --stdin
Date: Mon, 27 Apr 2009 02:42:43 +0200
[Message part 1 (text/plain, inline)]
Nicolas François wrote:

>> Please support reading passwords from stdin in passwd (restricted to
>> root only).
> 
> What would be the use case for this?

To set the password from scripts.

Currently all admins i know of use expect arround passwd as it's the
only sane way to do this. (either because of another password backend as
/etc/shadow or special password configs from pam).

> Isn't it what chpasswd already do?

Chpasswd writes to shadow directly.
It bypasses all restrictions and configuration from common-password. Eg.
hash (md5, sha256, sha512) and number of rounds.

>> It's a bit related to #505640 imho, but instead of all the quirks to get
>> the encrypted password back from pam just depend on the right
>> pam.d/common-password. Pipe the unencrypted password to passwd and
>> let pam do his job.
> 
> This will require the same quirks.
> 
> Pam is just simply not ready to receive the password at any time. The
> password might just be dropped from stdin before it even tries to read it.
>
> A conversation function is needed to communicate with PAM.

Stdin conversation function from passwd-0.76-2.fc11.src.rpm below:

/* A conversation function which uses an internally-stored value for
 * the responses. */
static int
stdin_conv(int num_msg, const struct pam_message **msgm,
       struct pam_response **response, void *appdata_ptr)
{
    struct pam_response *reply;
    int count;

    /* Sanity test. */
    if (num_msg <= 0) {
        return PAM_CONV_ERR;
    }

    /* Allocate memory for the responses. */
    reply = calloc(num_msg, sizeof(struct pam_response));
    if (reply == NULL) {
        return PAM_CONV_ERR;
    }

    /* Each prompt elicits the same response. */
    for (count = 0; count < num_msg; ++count) {
        if (msgm[count]->msg_style == PAM_PROMPT_ECHO_OFF) {
            reply[count].resp_retcode = 0;
            reply[count].resp = strdup(appdata_ptr);
        } else {
            reply[count].resp_retcode = 0;
            reply[count].resp = strdup("");
        }
    }

    /* Set the pointers in the response structure and return. */
    *response = reply;
    return PAM_SUCCESS;
}

michael

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#525153; Package passwd. (Mon, 27 Apr 2009 16:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 27 Apr 2009 16:27:07 GMT) Full text and rfc822 format available.

Message #20 received at 525153@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Michael Gebetsroither <gebi@sbox.tugraz.at>, 525153@bugs.debian.org
Subject: Re: Bug#525153: Please support passwd --stdin
Date: Mon, 27 Apr 2009 18:19:29 +0200
Hello,

On Mon, Apr 27, 2009 at 02:42:43AM +0200, gebi@sbox.tugraz.at wrote:
> Nicolas François wrote:
> 
> > This will require the same quirks.
> > 
> > Pam is just simply not ready to receive the password at any time. The
> > password might just be dropped from stdin before it even tries to read it.
> >
> > A conversation function is needed to communicate with PAM.
> 
> Stdin conversation function from passwd-0.76-2.fc11.src.rpm below:

Providing a conversation function is not an issue (although there might be
some uncertainties, as how it should behave if a module explicitly
requested PAM_PROMPT_ECHO_ON).

My point was that the same conversation function can be used for chpasswd,
newusers, and passwd (i.e. I did not agree to "...but instead of all the
quirks to get the encrypted password back from pam...")

Once chpasswd supports PAM, do you still need passwd --stdin?

Supporting PAM in chpasswd looks much easier than supporting
non-interactive password updates in passwd. (mostly because of the non-PAM
paths)

From the documentation point of view, this would also be easier to have
different tools:
 * passwd - update passwords interactively
 * chpasswd - update passwords in batch mode

So if the use case is only "To set the password from scripts.", I would
just propose to use chpasswd for this (once it will be fixed).

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#525153; Package passwd. (Mon, 27 Apr 2009 18:06:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gebetsroither <michael.geb@gmx.at>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 27 Apr 2009 18:06:09 GMT) Full text and rfc822 format available.

Message #25 received at 525153@bugs.debian.org (full text, mbox):

From: Michael Gebetsroither <michael.geb@gmx.at>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 525153@bugs.debian.org
Subject: Re: Bug#525153: Please support passwd --stdin
Date: Mon, 27 Apr 2009 20:04:51 +0200
[Message part 1 (text/plain, inline)]
Nicolas François wrote:

> My point was that the same conversation function can be used for chpasswd,
> newusers, and passwd (i.e. I did not agree to "...but instead of all the
> quirks to get the encrypted password back from pam...")
> 
> Once chpasswd supports PAM, do you still need passwd --stdin?

no, not at all, PAM support in chpasswd would be equally nice.
But chpasswd should complain loud if it doesn't support pam.
(eg. --pam where older chpasswd versions exit with error).

> Supporting PAM in chpasswd looks much easier than supporting
> non-interactive password updates in passwd. (mostly because of the non-PAM
> paths)
> 
>>From the documentation point of view, this would also be easier to have
> different tools:
>  * passwd - update passwords interactively
>  * chpasswd - update passwords in batch mode
> 
> So if the use case is only "To set the password from scripts.", I would
> just propose to use chpasswd for this (once it will be fixed).

ACK!

michael

[signature.asc (application/pgp-signature, attachment)]

Tags added: pending Request was from Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Sat, 09 May 2009 17:06:06 GMT) Full text and rfc822 format available.

Reply sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
You have taken responsibility. (Mon, 11 May 2009 18:54:09 GMT) Full text and rfc822 format available.

Notification sent to Michael Gebetsroither <gebi@grml.org>:
Bug acknowledged by developer. (Mon, 11 May 2009 18:54:09 GMT) Full text and rfc822 format available.

Message #32 received at 525153-close@bugs.debian.org (full text, mbox):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
To: 525153-close@bugs.debian.org
Subject: Bug#525153: fixed in shadow 1:4.1.4-1
Date: Mon, 11 May 2009 18:32:16 +0000
Source: shadow
Source-Version: 1:4.1.4-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.1.4-1_i386.deb
  to pool/main/s/shadow/login_4.1.4-1_i386.deb
passwd_4.1.4-1_i386.deb
  to pool/main/s/shadow/passwd_4.1.4-1_i386.deb
shadow_4.1.4-1.diff.gz
  to pool/main/s/shadow/shadow_4.1.4-1.diff.gz
shadow_4.1.4-1.dsc
  to pool/main/s/shadow/shadow_4.1.4-1.dsc
shadow_4.1.4.orig.tar.gz
  to pool/main/s/shadow/shadow_4.1.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 525153@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 11 May 2009 00:25:11 +0200
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.4-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 501869 524719 524873 525153 525531 525658 525967 527095 527106 527131 527636
Changes: 
 shadow (1:4.1.4-1) unstable; urgency=low
 .
   * The "Chambérat" release.
   * New upstream release:
      - Updated Czech translation. Closes: #525658
      - Updated French translation.
      - Updated German translation. Closes: #527131
      - Updated Japanese translation.
      - Updated Korean translation. Closes: #524719
      - Updated Portuguese translation. Closes: #525531
      - Updated Russian translation. Closes: #527636
      - passwd: Report password properties changes if the password is not
        actually changed. Closes: #525967
      - Fixed lastlog. 4.1.3 only reported empty logs. Closes: #524873
      - Remove patches applied upstream:
         + debian/patches/403_fix_PATH-MAX_hurd
      - Updated patches:
         + debian/patches/008_login_log_failure_in_FTMP
         + debian/patches/401_cppw_src.dpatch
         + debian/patches/429_login_FAILLOG_ENAB
         + debian/patches/463_login_delay_obeys_to_PAM
      - pwck and grpck warn when the shadowed and non-shadowed files contain
        an entry for the same user or group and the non shadowed file password
        field is not 'x'. Closes: #501869
        Other topics raised in this bug were fixed previously.
   * debian/securetty.linux: Added Freescale i.MX ports. Closes: #527095
   * debian/securetty.linux: Added some local X displays. See LP #104957. But
     only a limited set of displays were added.
   * debian/rules, debian/passwd.newusers.pam, debian/passwd.chpasswd.pam:
     Install the newusers and chpasswd PAM service configuration files.
     newusers and chpasswd now use PAM to update the passwords.
     Closes: #525153
   * debian/login.pam: Updated support for SELinux. Closes: #527106
   * debian/control: Standards-Version bumped to 3.8.1. No changes.
   * debian/control: Changed gnome-doc-utils dependency to >= 0.4.3 (instead
     of >= 0.4.3-1)
   * debian/control: Added ${misc:Depends} to the passwd's Depends and login's
     Pre-Depends.
Checksums-Sha1: 
 351f85543759af67c9cdae9b7c073fd538bb1aed 1540 shadow_4.1.4-1.dsc
 8838b6fb252fe48bb90ff98277f73e40e7821d40 2758530 shadow_4.1.4.orig.tar.gz
 4fc70dc46f827298e79d02e1c9b55cba5be25da4 76293 shadow_4.1.4-1.diff.gz
 c4d097998865f90e25ed1f28a1185483b51aed61 961826 passwd_4.1.4-1_i386.deb
 1eb59e7c6d5db6d32e88a585a8dd34b5c9f95f32 749854 login_4.1.4-1_i386.deb
Checksums-Sha256: 
 d21e0c451acb2851895f17ec6ec27aad3e1313c959e0dbf979ce123fd7a00608 1540 shadow_4.1.4-1.dsc
 7e38a7826f6e71e89b55669e8343af05ae33ecfba99aad178cad45845d950a93 2758530 shadow_4.1.4.orig.tar.gz
 a9b30bcb5e5c9ace9f2ac6f6df05b2e4be8804309f0f6ce52f808129639a04cc 76293 shadow_4.1.4-1.diff.gz
 3126d1e0a30e4df07ead5c95295a427ac4ca427a6b279eb9e83fdf260f8c860a 961826 passwd_4.1.4-1_i386.deb
 4605f7f82bd61a0a96a9b0562f112a4145667a8f08d6a8d262d4b89750ec3c29 749854 login_4.1.4-1_i386.deb
Files: 
 c7c450299d249a7927b968da8ae66e56 1540 admin required shadow_4.1.4-1.dsc
 e1072df927bfb4410ee4dfe26dd81a17 2758530 admin required shadow_4.1.4.orig.tar.gz
 a916c96549dd9c3428bba790963298f4 76293 admin required shadow_4.1.4-1.diff.gz
 76d53ec8fb5cfbe40aa290a20ab3f990 961826 admin required passwd_4.1.4-1_i386.deb
 edc70959a46a3b3955aba739ce516658 749854 admin required login_4.1.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoHXkQACgkQWgo5mup89a06FgCdGxsfXWY3hrstMWEDocqnRn7Q
f04An0r1gWv/Be/vS8yZqMxpxA/YiHvC
=Cx5k
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 10 Jun 2009 07:33:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 01:51:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.