Bug#482553: ldm: password change doesn't work
Vagrant Cascadian skrev:
On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote:
When trying to log in as a user with an expired password,
I experienced the following problems:
...snip...
I have attached a patch which should fix these problems.
applied your patch to the version just uploaded to unstable, even though
there are still likely cases where it will hang. i didn't close the bug
since there are outstanding issues.
i am curious if this line is a good idea, though:
@@ -256,7 +261,6 @@
seen = expect(fd, 30.0, updated successfully, NULL);
if (seen == 1) {
-bzero(ldminfo.password, sizeof ldminfo.password);
return 2;
}
by removing that line, is it leaving the password sitting in memory?
live well,
vagrant
Zeroing the password there means that the user has to enter the password
a third time to be able to log in (and ldm doesn't give proper feedback).
It shouldn't be a problem, because the password is zeroed in main().
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
found 482553 2:2.0.5-1 thanks On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote: When trying to log in as a user with an expired password, I experienced the following problems: 1) ldm first prompted for new password, and then prompted again (to confirm). After that it got stuck - I could enter text, but nothing happened. 2) ldm doesn't check if the new password is equal to the old password. If it is, then the password won't be succesfully changed. 3) (with 1 and 2 fixed) ldm incorrectly zeros the password, so that the user has to enter the new password again to log in after a password change. I have attached a patch which should fix these problems. thanks for the patch, i tested it and it seems to address the issues mentioned. unfortunately additional checks, possibly not present on etch, also cause it to hang at the verifying password phase. two that i found were if the password is too similar to the previous password or if the password is too short- these are likely common issues as well. i suspect there are more. the good news is that this part of ldm is currently being discussed by ltsp developers, as it's totally broken for opensuse and gentoo's password expiry, as they have totally different text. live well, vagrant -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote:
When trying to log in as a user with an expired password,
I experienced the following problems:
...snip...
I have attached a patch which should fix these problems.
applied your patch to the version just uploaded to unstable, even though
there are still likely cases where it will hang. i didn't close the bug
since there are outstanding issues.
i am curious if this line is a good idea, though:
@@ -256,7 +261,6 @@
seen = expect(fd, 30.0, updated successfully, NULL);
if (seen == 1) {
-bzero(ldminfo.password, sizeof ldminfo.password);
return 2;
}
by removing that line, is it leaving the password sitting in memory?
live well,
vagrant
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
Package: ldm
Version: 2:2.0.3-1~40.etch.0
Severity: normal
When trying to log in as a user with an expired password,
I experienced the following problems:
1) ldm first prompted for new password, and then prompted again (to confirm).
After that it got stuck - I could enter text, but nothing happened.
2) ldm doesn't check if the new password is equal to the old password.
If it is, then the password won't be succesfully changed.
3) (with 1 and 2 fixed) ldm incorrectly zeros the password,
so that the user has to enter the new password again to log in after
a password change.
I have attached a patch which should fix these problems.
Steps to reproduce:
1) Expire a users password on the server.
2) Attempt to log in as the user with ldm.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-486
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Versions of packages ldm depends on:
ii gtk2-engines [gtk2-eng 1:2.8.2-1 theme engines for GTK+ 2.x
ii gtk2-engines-clearlook 1:2.8.2-1 Clearlooks GTK+ 2.x engine and the
ii libatk1.0-01.12.4-3 The ATK accessibility toolkit
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libcairo2 1.2.4-4.1+etch1 The Cairo 2D vector graphics libra
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libglib2.0-0 2.12.4-2 The GLib library of C routines
ii libgtk2.0-02.8.20-7 The GTK+ graphical user interface
ii libpango1.0-0 1.14.8-5 Layout and rendering of internatio
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxcursor11.1.7-4 X cursor management library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.1-5 X11 miscellaneous 'fixes' extensio
ii libxi6 1:1.0.1-4 X11 Input extension library
ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library
ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library
ii libxrender11:0.9.1-3 X Rendering Extension client libra
ii openssh-client 1:4.3p2-9etch2Secure shell client, an rlogin/rsh
ii xserver-xorg 1:7.1.0-19the X.Org X server
ii xserver-xorg-core [xse 2:1.1.1-21etch4 X.Org X server -- core server
Versions of packages ldm recommends:
ii netcat1.10-32TCP/IP swiss army knife
-- no debconf information
--- src.orig/sshutils.c 2008-05-23 14:36:04.0 +0200
+++ src/sshutils.c 2008-05-23 14:37:00.0 +0200
@@ -227,6 +227,10 @@
while (TRUE) {
get_passwd();
+if (!strcmp(oldpw, ldminfo.password)) {
+set_message(_(You have to enter a new password.));
+continue;
+}
newpw1 = strdup(ldminfo.password);
set_message(_(Please enter your password again to verify.));
get_passwd();
@@ -240,6 +244,7 @@
}
/* send old password first */
+seen = expect(fd, 30.0, ssword:, NULL);
write(fd, oldpw, strlen(oldpw));
write(fd, \n, 1);
@@ -256,7 +261,6 @@
seen = expect(fd, 30.0, updated successfully, NULL);
if (seen == 1) {
-bzero(ldminfo.password, sizeof ldminfo.password);
return 2;
}
