Mailinglist Archive: opensuse-security (37 mails)
| < Previous | Next > |
Re: [opensuse-security] SLES 11.1: passwd writes password to /etc/passwd
- From: Werner Flamme <werner.flamme@xxxxxx>
- Date: Thu, 26 Aug 2010 14:38:29 +0200
- Message-id: <4C766045.2000203@xxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Frank Steiner [26.08.2010 13:55]:
Would you please be so kind and give me the info, where I /can/
configure this behaviour? I will be glad to change it to somewhat safer...
I do not remember to have configured that users with /bin/csh get their
passwords stored in /etc/passwd, or that /etc/shadow is ignored for
those users.
BTW, I have only x86_64 boxes. Tried it again on another VM:
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/false
# grep erster /etc/shadow
erster:$2a$05$4jD2b5NwFNiBIeD28YkGz.c3w60XqGInsLsWEacAACedg6S5wWzNG:14775:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/false
# grep erster /etc/shadow
erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7:::
OK, password changed, user is in both files. Now I cange the user's
shell to bash via YaST.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/bash
# grep erster /etc/shadow
erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/bash
# grep erster /etc/shadow
erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7:::
Everything OK again. Now I use YaST to change the user's shell to csh:
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/csh
# grep erster /etc/shadow
erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/csh
# grep erster /etc/shadow
erster:$2a$10$DMdqOfe0XL4eU32XETq8..MmZTvndEvwyue8OO4t/HnjQzUZ.xXoW:14847:0:99999:7:::
Great. It works!
But still not on the first server. All servers are drawn from the same
VM template. "diff" does not tell me a difference between the respective
/usr/bin/passwd files.
Where the ... did I configure that?
Regards,
Werner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2YEUACgkQk33Krq8b42MEQQCeL0jy4n9M+jmKz9/8u2yQTAr8
6DgAn0EXp+X/rDQiULq1D1pj0mf+pfKv
=CWOe
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
Hash: SHA1
Frank Steiner [26.08.2010 13:55]:
Werner Flamme wrote
using the passwd command at the commandline caused the passwords to be
inserted in the /etc/passwd file.
I cannot reproduce this on our SLES 11 SP1 ppc64 and x86_64 systems.
You must have some config other than ours that triggers this bug...
Would you please be so kind and give me the info, where I /can/
configure this behaviour? I will be glad to change it to somewhat safer...
I do not remember to have configured that users with /bin/csh get their
passwords stored in /etc/passwd, or that /etc/shadow is ignored for
those users.
BTW, I have only x86_64 boxes. Tried it again on another VM:
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/false
# grep erster /etc/shadow
erster:$2a$05$4jD2b5NwFNiBIeD28YkGz.c3w60XqGInsLsWEacAACedg6S5wWzNG:14775:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/false
# grep erster /etc/shadow
erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7:::
OK, password changed, user is in both files. Now I cange the user's
shell to bash via YaST.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/bash
# grep erster /etc/shadow
erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/bash
# grep erster /etc/shadow
erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7:::
Everything OK again. Now I use YaST to change the user's shell to csh:
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/csh
# grep erster /etc/shadow
erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7:::
# LANG=C passwd erster
Changing password for erster.
New Password:
Bad password: too simple
Reenter New Password:
Password changed.
# grep erster /etc/passwd
erster:x:1000:100:Erster Eins:/home/erster:/bin/csh
# grep erster /etc/shadow
erster:$2a$10$DMdqOfe0XL4eU32XETq8..MmZTvndEvwyue8OO4t/HnjQzUZ.xXoW:14847:0:99999:7:::
Great. It works!
But still not on the first server. All servers are drawn from the same
VM template. "diff" does not tell me a difference between the respective
/usr/bin/passwd files.
Where the ... did I configure that?
Regards,
Werner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2YEUACgkQk33Krq8b42MEQQCeL0jy4n9M+jmKz9/8u2yQTAr8
6DgAn0EXp+X/rDQiULq1D1pj0mf+pfKv
=CWOe
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx
| < Previous | Next > |