Bug 653921

Summary:	Can't change NIS password with yppasswd
Product:	[Fedora] Fedora	Reporter:	John Beranek <john>
Component:	yp-tools	Assignee:	Karel Klíč <kklic>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	low
Version:	12	CC:	kklic, rvokal
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	yp-tools-2.11-2.fc14	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-12-03 12:01:06 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description John Beranek 2010-11-16 13:53:34 UTC

Description of problem:

Running yppasswd as a normal user fails, with the message:

You cannot reuse the old password.

This happens whether the old password has been reused or not. If I downgrade the version of yp-tools to 2.9-8 yppasswd starts working again.

The NIS master runs on CentOS 5.5, though I doubt this matters, as strace suggests that the new password typed by the user is not passed anywhere near the NIS server before being rejected.

Looking at the diff betwwen 2.9-8 and 2.9-9, code very close to the error message has been changed, which makes me suspicious.

Version-Release number of selected component (if applicable):

2.9-9

How reproducible:

Always

Steps to Reproduce:
1.Try to change your NIS password on a NIS configured machine using yppasswd
  
Actual results:

Fails with "You cannot reuse the old password."

Expected results:

Should allow password to be changed

Additional info:

Comment 1 John Beranek 2010-11-16 14:49:18 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=514061

Bug ref for bug-fix that introduced the problem

Comment 2 Karel Klíč 2010-11-16 22:51:24 UTC

It would help a lot if you could provide an example of passwd entry (one line), for which the password change fails. You can get all the passwd lines by running `ypcat passwd` on NIS slave.

Comment 3 John Beranek 2010-11-16 23:06:27 UTC

bertesj3:x:20566:20566:John Bertesty:/home/bertesj3:/bin/bash

Comment 4 Karel Klíč 2010-11-16 23:24:53 UTC

Thank you for such a fast response.

I'm interested in the format and length of that `x` :). It should be in form $id$salt$encrypted, and I need to know the "id" (which indicates the method used for encryption), the length of "salt" (which is probably the reason why you cannot change the password), and whether "encrypted" contains some suffix separated by a comma (such as ",rounds=xx").

If you change a few letters in the "encrypted" area for other random letters, there is no chance to get your password.

Comment 5 John Beranek 2010-11-17 08:31:08 UTC

The 'x' is because it's a shadowed password NIS system. It's always worked in the past, as recently as yp-tools 2.9-8.

Surely the old password is checked at the server end, and the new password just gets sent to the NIS server??

Comment 6 Karel Klíč 2010-11-19 16:57:31 UTC

I see, thanks. MERGE_PASSWD is set to false in /var/yp/Makefile. I can reproduce it now, and yp-tools-2.9-8 works here too.

Comment 7 Karel Klíč 2010-11-19 17:14:31 UTC

In yp-tools-2.9-8, the comparison of the old and new password in yppasswd.c, function verifypassword:
pwd->pw_passwd => "x"
pwdstr => "newpassword"
crypt (pwdstr, pwd->pw_passwd) => "xxCfHui4C4JRY"
strncmp (pwd->pw_passwd, crypt (pwdstr, pwd->pw_passwd), 13) => not same

In yp-tools-2.9-9:
pwd->pw_passwd => "x"
pwdstr => "newpassword"
crypt (pwdstr, pwd->pw_passwd) => "xxCfHui4C4JRY"
passwdlen => 1
strncmp (pwd->pw_passwd, crypt (pwdstr, pwd->pw_passwd), passwdlen) => passwords are identical!

The solution is not to compare passwords when the old one == "x", as it always means that shadow passwords are used.

Comment 8 Fedora Update System 2010-11-19 18:33:30 UTC

yp-tools-2.10-3.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/yp-tools-2.10-3.fc13

Comment 9 Fedora Update System 2010-11-19 18:33:36 UTC

yp-tools-2.9-10.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/yp-tools-2.9-10.fc12

Comment 10 Fedora Update System 2010-11-19 18:33:43 UTC

yp-tools-2.11-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/yp-tools-2.11-2.fc14

Comment 11 John Beranek 2010-11-19 19:26:11 UTC

(In reply to comment #7)
> 
> The solution is not to compare passwords when the old one == "x", as it always
> means that shadow passwords are used.

Cor, thanks for the quick fix, and already submitted as an update.

Cheers!

Comment 12 Fedora Update System 2010-11-21 01:27:30 UTC

yp-tools-2.11-2.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update yp-tools'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/yp-tools-2.11-2.fc14

Comment 13 Bug Zapper 2010-12-03 12:01:06 UTC

Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 14 Fedora Update System 2010-12-07 20:09:13 UTC

yp-tools-2.10-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2010-12-07 20:17:40 UTC

yp-tools-2.11-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.