Bug#482553: ldm: password change doesn't work
Vagrant Cascadian skrev: On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote: When trying to log in as a user with an expired password, I experienced the following problems: ...snip... I have attached a patch which should fix these problems. applied your patch to the version just uploaded to unstable, even though there are still likely cases where it will hang. i didn't close the bug since there are outstanding issues. i am curious if this line is a good idea, though: @@ -256,7 +261,6 @@ seen = expect(fd, 30.0, updated successfully, NULL); if (seen == 1) { -bzero(ldminfo.password, sizeof ldminfo.password); return 2; } by removing that line, is it leaving the password sitting in memory? live well, vagrant Zeroing the password there means that the user has to enter the password a third time to be able to log in (and ldm doesn't give proper feedback). It shouldn't be a problem, because the password is zeroed in main(). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
found 482553 2:2.0.5-1 thanks On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote: When trying to log in as a user with an expired password, I experienced the following problems: 1) ldm first prompted for new password, and then prompted again (to confirm). After that it got stuck - I could enter text, but nothing happened. 2) ldm doesn't check if the new password is equal to the old password. If it is, then the password won't be succesfully changed. 3) (with 1 and 2 fixed) ldm incorrectly zeros the password, so that the user has to enter the new password again to log in after a password change. I have attached a patch which should fix these problems. thanks for the patch, i tested it and it seems to address the issues mentioned. unfortunately additional checks, possibly not present on etch, also cause it to hang at the verifying password phase. two that i found were if the password is too similar to the previous password or if the password is too short- these are likely common issues as well. i suspect there are more. the good news is that this part of ldm is currently being discussed by ltsp developers, as it's totally broken for opensuse and gentoo's password expiry, as they have totally different text. live well, vagrant -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
On Fri, May 23, 2008 at 03:59:18PM +0200, John S. Skogtvedt wrote: When trying to log in as a user with an expired password, I experienced the following problems: ...snip... I have attached a patch which should fix these problems. applied your patch to the version just uploaded to unstable, even though there are still likely cases where it will hang. i didn't close the bug since there are outstanding issues. i am curious if this line is a good idea, though: @@ -256,7 +261,6 @@ seen = expect(fd, 30.0, updated successfully, NULL); if (seen == 1) { -bzero(ldminfo.password, sizeof ldminfo.password); return 2; } by removing that line, is it leaving the password sitting in memory? live well, vagrant -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#482553: ldm: password change doesn't work
Package: ldm Version: 2:2.0.3-1~40.etch.0 Severity: normal When trying to log in as a user with an expired password, I experienced the following problems: 1) ldm first prompted for new password, and then prompted again (to confirm). After that it got stuck - I could enter text, but nothing happened. 2) ldm doesn't check if the new password is equal to the old password. If it is, then the password won't be succesfully changed. 3) (with 1 and 2 fixed) ldm incorrectly zeros the password, so that the user has to enter the new password again to log in after a password change. I have attached a patch which should fix these problems. Steps to reproduce: 1) Expire a users password on the server. 2) Attempt to log in as the user with ldm. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-486 Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8) Versions of packages ldm depends on: ii gtk2-engines [gtk2-eng 1:2.8.2-1 theme engines for GTK+ 2.x ii gtk2-engines-clearlook 1:2.8.2-1 Clearlooks GTK+ 2.x engine and the ii libatk1.0-01.12.4-3 The ATK accessibility toolkit ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii libcairo2 1.2.4-4.1+etch1 The Cairo 2D vector graphics libra ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libglib2.0-0 2.12.4-2 The GLib library of C routines ii libgtk2.0-02.8.20-7 The GTK+ graphical user interface ii libpango1.0-0 1.14.8-5 Layout and rendering of internatio ii libx11-6 2:1.0.3-7 X11 client-side library ii libxcursor11.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.1-5 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.1-4 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxrandr2 2:1.1.0.2-5 X11 RandR extension library ii libxrender11:0.9.1-3 X Rendering Extension client libra ii openssh-client 1:4.3p2-9etch2Secure shell client, an rlogin/rsh ii xserver-xorg 1:7.1.0-19the X.Org X server ii xserver-xorg-core [xse 2:1.1.1-21etch4 X.Org X server -- core server Versions of packages ldm recommends: ii netcat1.10-32TCP/IP swiss army knife -- no debconf information --- src.orig/sshutils.c 2008-05-23 14:36:04.0 +0200 +++ src/sshutils.c 2008-05-23 14:37:00.0 +0200 @@ -227,6 +227,10 @@ while (TRUE) { get_passwd(); +if (!strcmp(oldpw, ldminfo.password)) { +set_message(_(You have to enter a new password.)); +continue; +} newpw1 = strdup(ldminfo.password); set_message(_(Please enter your password again to verify.)); get_passwd(); @@ -240,6 +244,7 @@ } /* send old password first */ +seen = expect(fd, 30.0, ssword:, NULL); write(fd, oldpw, strlen(oldpw)); write(fd, \n, 1); @@ -256,7 +261,6 @@ seen = expect(fd, 30.0, updated successfully, NULL); if (seen == 1) { -bzero(ldminfo.password, sizeof ldminfo.password); return 2; }