-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig Nussel [26.08.2010 11:56]:

Werner Flamme wrote:

...

I do not recognize writing passwords to /etc/passwd as a feature. Do I have to open a bugzilla entry or is this a matter of (wrong) configuration?

If you managed to get into that situation using YaST it's probably worth a bug report, yes. We'd need a way to reproduce the problem though. I couldn't reproduce it by simply clicking some ldap related buttons at least. passwd always correctly uses /etc/shadow here.

Ludwig, using the passwd command at the commandline caused the passwords to be inserted in the /etc/passwd file. Using YaST removed them again, so now the file is clean again. Reproducing would only mean to use passwd on the commandline for some non-deactivated user. Using passwd for root himself did not write the password to /etc/passwd. I do not complain about the YaST module working OK ;-) # grep ufqadm /etc/passwd ufqadm:x:1002:1000:SAP Admin:/home/ufqadm:/bin/csh # LANG=C passwd ufqadm Changing password for ufqadm. New Password: Reenter New Password: Passwords do not match. New Password: Reenter New Password: Password changed. # grep ufqadm /etc/passwd ufqadm:$2a$10$TDsH.MDlYLbvOxtAvi7hSeDvJ4cvLU/49Wc9LiyMsEIfVwUcl1.GW:1002:1000:SAP Admin:/home/ufqadm:/bin/csh # grep ufqadm /etc/shadow Oh, nice, no entry in /etc/shadow for that user! When I try the same with a deactivated user (shell is set to /bin/false), the password is not inserted into /etc/passwd. And the user is still in /etc/shadow. Regards, Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2RaEACgkQk33Krq8b42MWFACfZiwbu99L6+8m2R6MaaW0vZqV Sr0AnjJ1z5eLXl6u9k0voHge/W/rVJcD =Sno4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Flamme [26.08.2010 13:07]:

Next try was to reactivate the deactivated user "erster". After that, the password was removed from the file /etc/passwd.

Always replying to myself. Hopefully this becomes not my new standard. I reactivated "erster" via YaST (and changed his password). So the YaST module ran through /etc/passwd and corrected the entry for "ufqadm" in the by. Obviously, passwd forgets to trigger pwconv, at least for users with shell = /bin/csh :-( Regards, Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2TOAACgkQk33Krq8b42OqLQCeMjv5awlMe1/C/wTN3MMEU/ZK de8AnjQEqeCAss5wqQudNW4LburmStEF =4nFI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Steiner [26.08.2010 13:55]:

Werner Flamme wrote

...

using the passwd command at the commandline caused the passwords to be inserted in the /etc/passwd file.

I cannot reproduce this on our SLES 11 SP1 ppc64 and x86_64 systems. You must have some config other than ours that triggers this bug...

Would you please be so kind and give me the info, where I /can/ configure this behaviour? I will be glad to change it to somewhat safer... I do not remember to have configured that users with /bin/csh get their passwords stored in /etc/passwd, or that /etc/shadow is ignored for those users. BTW, I have only x86_64 boxes. Tried it again on another VM: # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/false # grep erster /etc/shadow erster:$2a$05$4jD2b5NwFNiBIeD28YkGz.c3w60XqGInsLsWEacAACedg6S5wWzNG:14775:0:99999:7::: # LANG=C passwd erster Changing password for erster. New Password: Bad password: too simple Reenter New Password: Password changed. # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/false # grep erster /etc/shadow erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7::: OK, password changed, user is in both files. Now I cange the user's shell to bash via YaST. # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/bash # grep erster /etc/shadow erster:$2a$10$gQrxJv3zjUY.4AnrXIECvezfNhSdIiWHABHrT1t.Il6e.wIqtx96m:14847:0:99999:7::: # LANG=C passwd erster Changing password for erster. New Password: Bad password: too simple Reenter New Password: Password changed. # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/bash # grep erster /etc/shadow erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7::: Everything OK again. Now I use YaST to change the user's shell to csh: # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/csh # grep erster /etc/shadow erster:$2a$10$bRGXCPPb/mh3EXfs9/jQzuupBYKw95M4wFofoILgTYkdFmby4XhBG:14847:0:99999:7::: # LANG=C passwd erster Changing password for erster. New Password: Bad password: too simple Reenter New Password: Password changed. # grep erster /etc/passwd erster:x:1000:100:Erster Eins:/home/erster:/bin/csh # grep erster /etc/shadow erster:$2a$10$DMdqOfe0XL4eU32XETq8..MmZTvndEvwyue8OO4t/HnjQzUZ.xXoW:14847:0:99999:7::: Great. It works! But still not on the first server. All servers are drawn from the same VM template. "diff" does not tell me a difference between the respective /usr/bin/passwd files. Where the ... did I configure that? Regards, Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2YEUACgkQk33Krq8b42MEQQCeL0jy4n9M+jmKz9/8u2yQTAr8 6DgAn0EXp+X/rDQiULq1D1pj0mf+pfKv =CWOe -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig Nussel [26.08.2010 14:19]:

Werner Flamme wrote:

...

# grep ufqadm /etc/passwd ufqadm:$2a$10$TDsH.MDlYLbvOxtAvi7hSeDvJ4cvLU/49Wc9LiyMsEIfVwUcl1.GW:1002:1000:SAP Admin:/home/ufqadm:/bin/csh # grep ufqadm /etc/shadow

Oh, nice, no entry in /etc/shadow for that user!

Indeed passwd sets the password for a user in /etc/passwd if no shadow entry exists. How did you create that user? useradd creates entries in both passwd and shadow so a user without shadow entry shouldn't even exist.

So I understood the man pages of passwd and pwconv. The user was initially created as "sidadm" with YaST in one VM, then the VMs were cloned and the user was renamed (by changing the "username" field in YaST) according to the SAP system that is going to run on it (since it is essential that those users all have the same numerical ID). All SAP users are found in /etc/passwd as well as in /etc/shadow. The only thing I can imagine is that the renaming went wrong in (at least) one case. Sorry for the uproar :-( Regards, Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2YNsACgkQk33Krq8b42O+OgCeOqXRzGBgG/dwtW1QxYCBgNWl 8WAAnimZ4H7egohHr87B3zaLxe2PzSXF =aXzq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org