[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
This is now released with usg 20.04.17 ** Changed in: usg Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: Fix Released Status in pam package in Ubuntu: In Progress Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
Thanks for the heads up Alejandro! A fix was committed and merged for the CIS/USG tooling. We are preparing a new version but we are still working on some other fixes to include. I'll update the thread when it comes out. ** Changed in: pam (Ubuntu) Status: New => Fix Committed ** Changed in: pam (Ubuntu) Status: Fix Committed => In Progress ** Changed in: usg Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: Fix Committed Status in pam package in Ubuntu: In Progress Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
The CIS recommendations containing the fix for this issue have been already released [1][2]. The next step would be to fix the CIS/USG tooling so that it follows the new guidelines. [1] https://workbench.cisecurity.org/benchmarks/11909 [2] https://workbench.cisecurity.org/sections/1668741/recommendations/2682696 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: In Progress Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
It seems like if the line: 'password required pam_pwhistory.so remember=5' is added before the pam_unix line in /etc/pam.d/common-password everything works as expected because the new password now won't match the "old" password that was already in the shadow file (which is what happens if pam_pwhistory line is set after pam_unix). The problem is that the CIS tooling for Ubuntu seems to be adding this line at the end of the file hence causing the issue. Do we need to modify this bug in any way to ensure the CIS implementation is amended/fixed as needed? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: In Progress Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
** Changed in: usg Assignee: (unassigned) => David Fernandez Gonzalez (litios) ** Changed in: usg Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: In Progress Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
** Project changed: ubuntu-security-certifications => usg -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Guide: New Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/usg/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used
** Also affects: ubuntu-security-certifications Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1989731 Title: Non-root user unable to change own password if pam_pwhistory is used Status in Ubuntu Security Certifications: New Status in pam package in Ubuntu: New Bug description: When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed. Reproducer: --- 1. created an Ubuntu/Focal VM 2. added a user 'test' sudo adduser test # used passwd '123' su test 3. changed the password using 'passwd' logged in as the user 'test' passwd test # used passwd '1qaz2wsx' 4. logged out from 'test' and executed echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.d/common-password 5. tried again to follow step 3 as user 'test' but the following happens: passwd test # used passwd '3edc4rfv' (1) Changing password for test. Current password: New password: Retype new password: Password has been already used. Choose another. passwd: Have exhausted maximum number of retries for service passwd: password unchanged However, I'm now able to log in as 'test' using the password in (1) (the one that was supposedly not set up due to having been already used) instead of the old one (the one that should be in place since the change process returned an error). 6. if I comment out 'password required pam_pwhistory.so remember=5' then I can log in as 'test' and change the password without issues This behavior has been verified with the below package versioning: ii libpam-cap:amd641:2.32-1 amd64POSIX 1003.1e capabilities (PAM module) ii libpam-modules:amd641.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules for PAM - helper binaries ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library ii libpam-systemd:amd64245.4-4ubuntu3.15 amd64system and service manager - PAM module ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64Pluggable Authentication Modules library To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-security-certifications/+bug/1989731/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp