Bug#660865: pam_unix doesn't accept blank passwords regardless of nullok setting

Wed, 22 Feb 2012 05:10:45 -0800 

Package: libpam-modules
Version: 1.1.3-7
Severity: normal

Hello,

Pam_unix password module handles blank passwords as NULL and refuses
to accept them as valid even if 'nullok' option is set.
Also there is a big difference between account with blank password and
passwordless account so I don't think that "\0" password = NULL" is
correct at all.

# echo "admin:" | chpasswd
No password supplied
No password supplied
No password supplied
chpasswd: (user admin) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user admin) password not changed

# tail -f /var/log/auth.log
Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): username 
[admin] obtained
Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): username 
[admin] obtained
Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): bad 
authentication token
Feb 22 14:48:44 pc389 last message repeated 2 times
Feb 22 14:48:44 pc389 chpasswd[17947]: pam_unix(chpasswd:chauthtok): new 
password not acceptable

Since the minimum password length could be set by other means, I propose to 
remove following lines in 
pam_unix_passwd.c at all.
-     if (*(const char *)pass_new == '\0') {  /* "\0" password = NULL */
-       pass_new = NULL;
-     }

Thank you.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to ru_RU.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.41
ii  libc6                  2.13-26
ii  libdb5.1               5.1.29-1
ii  libpam-modules-bin     1.1.3-7
ii  libpam0g               1.1.3-7
ii  libselinux1            2.1.0-4.1

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf information excluded

diff -rub Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c Linux-PAM-1.1.5-patched/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c	2011-06-21 12:04:56.000000000 +0300
+++ Linux-PAM-1.1.5-patched/modules/pam_unix/pam_unix_passwd.c	2012-02-22 14:57:25.000000000 +0300
@@ -736,9 +736,6 @@
 			 * password is acceptable.
 			 */
 
-			if (*(const char *)pass_new == '\0') {	/* "\0" password = NULL */
-				pass_new = NULL;
-			}
 			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
 			                                pass_new, pass_min_len);

Reply via email to