Bug 74929

Summary: DES/BLF login.conf classes not working with passwd
Product: Base System Reporter: Mahlon E. Smith <mahlon-dated-1110480323.6ec148>
Component: binAssignee: Dag-Erling Smørgrav <des>
Status: Closed FIXED    
Severity: Affects Only Me CC: mahlon-dated-1110480323.6ec148
Priority: Normal    
Version: 5.3-STABLE   
Hardware: Any   
OS: Any   

Description Mahlon E. Smith 2004-12-10 21:00:45 UTC 
    In any 5.x release, passwd ignores the passwd_format class key in
    login.conf, and always generates a MD5 password.

Fix: 

Because this works perfectly under 4.x, I'm assuming it's an issue
    with the new PAM compatibility with passwd under 5.x.

    To workaround for now, don't use passwd, instead use:

    % pw usermod [username] -h 0
How-To-Repeat: 
    - enable des_users class in login.conf (for DES crypt passwords)
    - run cap_mkdb /etc/login.conf
    - edit the class field of the user(s) with vipw, changing their
      login class to des_users.

      mahlon:REMOVED:1001:1000:des_users:0:0:Mahlon E. Smith:/home/mahlon:/bin/tcsh
      
    - change the password with passwd.
    - check the master.passwd file.  Password is MD5. ($1$...)
Comment 1 Simon L. B. Nielsen freebsd_committer freebsd_triage 2004-12-11 13:30:16 UTC 
On 2004.12.10 20:54:12 -0000, Mahlon E. Smith wrote:

>     In any 5.x release, passwd ignores the passwd_format class key in
>     login.conf, and always generates a MD5 password.


I think the problem is with the setting the correct class for a user.

If I change the passwd_format in the default class it works fine, but
I can reproduce your example, so the problem is probably that passwd
somehow does not honor/use the correct class for the user that gets
the password changed.

-- 
Simon L. Nielsen
Comment 2 Stephen P. Cravey 2005-06-25 14:14:38 UTC 
Did you try issuing a:

cap_mkdb /etc/login.conf

?
This was my problem.
Also have a look at:
http://forums.servermatrix.com/viewtopic.php?t=11342

I expect some man page patches would help with this problem and many
like it. the docs for fiddling with this stuff kindof blow.

-Stephen
Comment 3 Stephen Cravey 2005-06-26 05:13:45 UTC 
The problem seems to be that the pam_sm_chauthtok function in the
pam_unix module only checks forthe password format for the default login
class (or the first in the file?)

Try this:

cd /usr/src/lib/libpam/modules/pam_unix
fetch http://www.cravey.org/patches/pam_unix.c.diff.200506252305
patch < pam_unix.c.diff.200506252305
make && make install

Then try to use passwd.
Please test as user and as root. Also, make sure that other classed work
against the default properly.

By applying the patch again, 'patch' will assume you want to reverse the
damage and wil revert the source file. then you can re-make and
everything should go back to normal.

This should apply cleanly to (I think) 5.3 and up. 

-Stephen

--- pam_unix.c~ Tue Feb 10 04:13:21 2004
+++ pam_unix.c  Sat Jun 25 22:34:53 2005
@@ -372,7 +372,7 @@
                        return (PAM_BUF_ERR);
 
                pwd->pw_change = 0;
-               lc = login_getclass(NULL);
+               lc = login_getclass(pwd->pw_class);
                if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
                        openpam_log(PAM_LOG_ERROR,
                            "can't set password cipher, relying on
default");
Comment 4 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2005-07-04 15:27:19 UTC 
Responsible Changed
From-To: freebsd-bugs->des

PAM issue.
Comment 5 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2005-07-05 19:47:18 UTC 
State Changed
From-To: open->patched

Fixed in -CURRENT, awaiting MFC.
Comment 6 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2006-11-11 00:47:32 UTC 
State Changed
From-To: patched->closed

MFCed