poppassd does not work as explained in Bug# 10283 Additional Comment #2.
I have installed popassd-ceti (or simply popassd) in version 1.8.4.
It works, it is a lot newer, and seems to be maintained unlike popassd_pam.
Oh - and it has pam support. So please replace popassd_pam with popassd-ceti in portage.
Here is a link: http://freshmeat.net/projects/poppassd-ceti/?topic_id=150
Steps to Reproduce:
Se Bug# 10283 Additional Comment #2
Changes the password or repported error
I would like to add that I have just downloaded and installed poppassd-ceti - it works great whereas poppassd_pam did not function correctly on my system. I would like to see this package added to portage if possible, and the removal or correction of poppassd_pam.
-> Coment this line
#password required /lib/security/pam_permit.so
-> and add this lines
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
The pam lines fixes this issue (What Henrique Dias says). Why hasn't any update been on the portage-package? Been 7 months, and no change what so ever. This package doesn't work unless the pam-file is updated.
I was just testing this package with the new PAM entries and it made it a lot worse for me. Instead of not changing my password it allowed me to type any user name that was valid, a random password 1 character or more and a new password. It then changed it to the new password for me - on both x86 and amd64 systems!
I would not recommend using this program, or those PAM settings with it. I have however made an ebuild for poppassd-ceti. I have been successfully using a hand compiled version for about six months now. I had to patch it for newer GCCs - it also seems to have been unmaintained since 2002, but does seem to work much better than poppassd_pam.
Please test the ebuild and let me know how it works for you guys. I have used the original poppassd_pam ebuild as inspiration but changed the bits that seemed tp need updating. I am no PAM expert so may be someone could check the poppassd pam file too? If it functions correctly do I need to open a new bug report to request its addition to portage?
I think poppassd_pam should be removed as it does not seem to function correctly.
Created attachment 44260 [details]
Created attachment 44261 [details]
Created attachment 44262 [details]
Created attachment 44263 [details, diff]
I've just tried installing poppassd_pam and I've encountered the same problem as specified previously:
poppasswd_pam accepts any password whatsoever and sets a new one.
guys, this is HORRIBLE from a security point of view, the current ebuild needs to be masked/removed (or fixed) IMMEDIATELY
Created attachment 47919 [details]
Added cracklib USE flag.
Created attachment 47920 [details]
Created attachment 47921 [details]
The new poppassd_ceti does not work properly on my system at all. I had just deployed the poppassd_pam in a (fortunately) limted environment (only available on localhost with a PHP script from an authenticated webpage) when the GLSA for the package came out. I have patched the poppassd_pam code by hand to do the authentication step that was missing.
It seems to me that the code for poppassd_ceti does not properly respond to all parts of the pam conversation, as it always places the new password in the response at the change step, when it needs to specify the old password in the first part of the conversation and then the new password there after. (If you compare the code for the two you will see what I mean. The poppassd_pam switches based on what pam is asking for. The new version switches on a global state flag.)
This is evidenced to me from the logs when I try to change a password with the new poppassd_ceti. (I am running pam_krb5afs to authenticate against Kerberos and get an AFS token at the same time.) I get the following in the log when I trun on debug for the pam_krb5afs module:
pam_krb5afs: authentication succeeds for `guest'
pam_krb5afs: can't change password for guest: -1765328353 (Decrypt integrity check failed)
This implies that the module is authenticating properly the first time, but is not putting the old password into the response for the part of the PAM conversation where PAM is requesting it so that it can pass that along to the pam_krb5afs module.
The patch to the old poppassd_pam was trivial to add, though the place I added it is later in the poppassd conversation than in the new ceti version so it always asks for the old and new even if the old won't work. I consider this a feature. ;)
I am not a huge PAM hacker, but I will try to come up with a patch for the new version that solves this problem in the next couple of days.
Here are the changes I made to the old poppassd_pam to make it secure:
diff poppassd_pam.c.orig poppassd_pam.c
> #include <stdio.h>
> rc = pam_authenticate(hdl, 0);
> if(rc != PAM_SUCCESS)
> WriteToClient("500 %s",pam_strerror(hdl, rc));
> return (1);
I am afraid I do not have any systems that use anything other than plain vanilla PAM as set up by default. I then add in cracklib and that is about it. The ebuild currently in CVS works fine for that purpose for me and others.
I am closing this bug as fixed, as the original issue is resolved. Please open a new bug, or add a comment here if you come up with a patch. I will work with you to test and integrate it.