Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 37434

Summary: poppassd_pam does not change password
Product: Gentoo Linux Reporter: Troels Blum <troels>
Component: [OLD] ServerAssignee: Net-Mail Packages <net-mail+disabled>
Severity: normal CC: cryos
Priority: High Keywords: InVCS
Version: unspecified   
Hardware: x86   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: poppassd_ceti-1.8.4.ebuild

Description Troels Blum 2004-01-06 16:25:01 UTC
poppassd does not work as explained in Bug# 10283 Additional Comment #2. 
I have installed popassd-ceti (or simply popassd) in version 1.8.4. 
It works, it is a lot newer, and seems to be maintained unlike popassd_pam. 
Oh - and it has pam support. So please replace popassd_pam with popassd-ceti in portage.
Here is a link:

Thank You

Reproducible: Always
Steps to Reproduce:
Se Bug# 10283 Additional Comment #2
Actual Results:  

Expected Results:  
Changes the password or repported error
Comment 1 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-01-29 08:48:01 UTC
I would like to add that I have just downloaded and installed poppassd-ceti - it works great whereas poppassd_pam did not function correctly on my system. I would like to see this package added to portage if possible, and the removal or correction of poppassd_pam.
Comment 2 Henrique Dias 2004-04-06 04:35:35 UTC
Edit /etc/pam.d/poppassd
-> Coment this line
#password   required    /lib/security/
-> and add this lines
auth       required     /lib/security/ service=system-auth
account    required     /lib/security/ service=system-auth
password   required     /lib/security/ service=system-auth
Comment 3 David Röhr 2004-11-11 14:55:17 UTC
The pam lines fixes this issue (What Henrique Dias says). Why hasn't any update been on the portage-package? Been 7 months, and no change what so ever. This package doesn't work unless the pam-file is updated.
Comment 4 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-11-18 18:19:38 UTC
I was just testing this package with the new PAM entries and it made it a lot worse for me. Instead of not changing my password it allowed me to type any user name that was valid, a random password 1 character or more and a new password. It then changed it to the new password for me - on both x86 and amd64 systems!

I would not recommend using this program, or those PAM settings with it. I have however made an ebuild for poppassd-ceti. I have been successfully using a hand compiled version for about six months now. I had to patch it for newer GCCs - it also seems to have been unmaintained since 2002, but does seem to work much better than poppassd_pam.

Please test the ebuild and let me know how it works for you guys. I have used the original poppassd_pam ebuild as inspiration but changed the bits that seemed tp need updating. I am no PAM expert so may be someone could check the poppassd pam file too? If it functions correctly do I need to open a new bug report to request its addition to portage?

I think poppassd_pam should be removed as it does not seem to function correctly.
Comment 5 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-11-18 18:20:37 UTC
Created attachment 44260 [details]
Comment 6 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-11-18 18:21:24 UTC
Created attachment 44261 [details]
Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-11-18 18:21:45 UTC
Created attachment 44262 [details]
Comment 8 Marcus D. Hanwell (RETIRED) gentoo-dev 2004-11-18 18:22:09 UTC
Created attachment 44263 [details, diff]
Comment 9 Martin bene 2004-12-27 09:58:47 UTC
I've just tried installing poppassd_pam and I've encountered the same problem as specified previously:
poppasswd_pam accepts any password whatsoever and sets a new one.

guys, this is HORRIBLE from a security point of view, the current ebuild needs to be masked/removed (or fixed) IMMEDIATELY

Comment 10 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-01-07 22:55:36 UTC
Created attachment 47919 [details]

Added cracklib USE flag.
Comment 11 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-01-07 22:56:31 UTC
Created attachment 47920 [details]
Comment 12 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-01-07 22:57:06 UTC
Created attachment 47921 [details]
Comment 13 Nick Palmer 2005-01-19 00:44:18 UTC
Hey all,

The new poppassd_ceti does not work properly on my system at all. I had just deployed the poppassd_pam in a (fortunately) limted environment (only available on localhost with a PHP script from an authenticated webpage) when the GLSA for the package came out. I have patched the poppassd_pam code by hand to do the authentication step that was missing. 

It seems to me that the code for poppassd_ceti does not properly respond to all parts of the pam conversation, as it always places the new password in the response at the change step, when it needs to specify the old password in the first part of the conversation and then the new password there after. (If you compare the code for the two you will see what I mean. The poppassd_pam switches based on what pam is asking for. The new version switches on a global state flag.)

This is evidenced to me from the logs when I try to change a password with the new poppassd_ceti. (I am running pam_krb5afs to authenticate against Kerberos and get an AFS token at the same time.) I get the following in the log when I trun on debug for the pam_krb5afs module:
pam_krb5afs: authentication succeeds for `guest'
pam_krb5afs: can't change password for guest: -1765328353 (Decrypt integrity check failed)

This implies that the module is authenticating properly the first time, but is not putting the old password into the response for the part of the PAM conversation where PAM is requesting it so that it can pass that along to the pam_krb5afs module.

The patch to  the old poppassd_pam was trivial to add, though the place I added it is later in the poppassd conversation than in the new ceti version so it always asks for the old and new even if the old won't work. I consider this a feature. ;)

I am not a huge PAM hacker, but I will try to come up with a patch for the new version that solves this problem in the next couple of days.

Here are the changes I made to the old poppassd_pam to make it secure:
diff poppassd_pam.c.orig poppassd_pam.c
> #include <stdio.h>
>     rc = pam_authenticate(hdl, 0);
>     if(rc != PAM_SUCCESS)
>     {
>       WriteToClient("500 %s",pam_strerror(hdl, rc));
>       return (1);
>     }
Comment 14 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-02-01 09:43:33 UTC
I am afraid I do not have any systems that use anything other than plain vanilla PAM as set up by default. I then add in cracklib and that is about it. The ebuild currently in CVS works fine for that purpose for me and others.

I am closing this bug as fixed, as the original issue is resolved. Please open a new bug, or add a comment here if you come up with a patch. I will work with you to test and integrate it.