Package: libpam-modules Version: 1.1.3-7 Severity: normal Hello,
Pam_unix password module handles blank passwords as NULL and refuses to accept them as valid even if 'nullok' option is set. Also there is a big difference between account with blank password and passwordless account so I don't think that "\0" password = NULL" is correct at all. # echo "admin:" | chpasswd No password supplied No password supplied No password supplied chpasswd: (user admin) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user admin) password not changed # tail -f /var/log/auth.log Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): username [admin] obtained Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): username [admin] obtained Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): bad authentication token Feb 22 14:48:44 pc389 last message repeated 2 times Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): new password not acceptable Since the minimum password length could be set by other means, I propose to remove following lines in pam_unix_passwd.c at all. - if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } Thank you. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to ru_RU.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-modules depends on: ii debconf [debconf-2.0] 1.5.41 ii libc6 2.13-26 ii libdb5.1 5.1.29-1 ii libpam-modules-bin 1.1.3-7 ii libpam0g 1.1.3-7 ii libselinux1 2.1.0-4.1 libpam-modules recommends no packages. libpam-modules suggests no packages. -- debconf information excluded
diff -rub Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c Linux-PAM-1.1.5-patched/modules/pam_unix/pam_unix_passwd.c --- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2011-06-21 12:04:56.000000000 +0300 +++ Linux-PAM-1.1.5-patched/modules/pam_unix/pam_unix_passwd.c 2012-02-22 14:57:25.000000000 +0300 @@ -736,9 +736,6 @@ * password is acceptable. */ - if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new, pass_min_len);