Bug 331861 - /sbin/unix_chkpwd fail to verify passwords
/sbin/unix_chkpwd fail to verify passwords
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mod_auth_shadow (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: David Anderson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-15 03:37 EDT by Johan Fredriksson
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-15 04:08:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Johan Fredriksson 2007-10-15 03:37:00 EDT
Description of problem:
I tried to make apache httpd use the password-database in /etc/passwd and
/etc/shadow for authentication using mod_auth_shadow.
This module uses the program /sbin/unix_chkpwd (from pam-0.99.7.1-5) to do the
actual verification. Even tough the right password is supplied, unix_chkpwd
fails with exit code 7.
Rebuilding pam from the srpm and running it in gdb revealed that the hash
calculated from the supplied password does not match the hash in /etc/shadow,
even though the passwords are identical. The same problem occures on RHEL4 using
pam-0.77-66.21.

Version-Release number of selected component (if applicable):
pam-0.99.7.1-5
mod_auth_shadow-2.2-3

How reproducible:
Every time

Steps to Reproduce:
echo 'correct password' | /sbin/unix_chkpwd user nonullok
  
Actual results:
/sbin/unix_chkpwd fails with exit code 7

Expected results:
exit code 0

Additional info:
/sbin/unix_chkpwd will not accept input if stdin is a terminal.
Comment 1 Tomas Mraz 2007-10-15 03:54:46 EDT
That's because unix_chkpwd reads the passwords differently. Also note that the
real uid of the user calling unix_chkpwd must be either 0 - it will be able
verify all users passwords or the uid of the user being verified.

-> bug in mod_auth_shadow. Also note that unix_chkpwd is an internal helper
binary of pam_unix so it is very possible that its behavior may change any time
without notice.

This is how you can test that unix_chkpwd works OK:

echo -n -e 'correct password\0' | /sbin/unix_chkpwd user nonull
Comment 2 Johan Fredriksson 2007-10-15 04:06:58 EDT
> Also note that the real uid of the user calling unix_chkpwd must be either 0
> - it will be able verify all users passwords or the uid of the user being
> verified.

Since the RPM installs the binary setuid root that should not be a problem,
should it?

> Also note that unix_chkpwd is an internal helper binary of pam_unix so it is
> very possible that its behavior may change any time without notice.
>
> This is how you can test that unix_chkpwd works OK:
> 
> echo -n -e 'correct password\0' | /sbin/unix_chkpwd user nonull

Ah, that works.
I guess this should be considered a bug in mod_auth_shadow instead then?
Comment 3 David Anderson 2007-10-15 04:08:20 EDT
The assumption in the bug report is wrong, AFAICT: mod_auth_shadow does not 
use /sbin/unix_chkpwd, it uses /usr/sbin/validate. NOTABUG.

mod_auth_shadow is not part of RHEL4 in any case, so the bug reporter seems 
rather confused in trying to get it to work there. (Unless someone else 
packaged it for EPEL - I didn't).
Comment 4 Johan Fredriksson 2007-10-15 04:17:14 EDT
> The assumption in the bug report is wrong, AFAICT: mod_auth_shadow does not
> use /sbin/unix_chkpwd, it uses /usr/sbin/validate. NOTABUG.

It does indeed. I can provide the output from strace if you need (with the
passwords removed of cource)

> mod_auth_shadow is not part of RHEL4 in any case, so the bug reporter
> seems rather confused in trying to get it to work there. (Unless someone
> else packaged it for EPEL - I didn't).

The bug report is for Fedora 7.
Comment 5 Johan Fredriksson 2007-10-15 04:45:31 EDT
> > The assumption in the bug report is wrong, AFAICT: mod_auth_shadow does not
> > use /sbin/unix_chkpwd, it uses /usr/sbin/validate. NOTABUG.
> 
> It does indeed. I can provide the output from strace if you need (with the
> passwords removed of cource)

OK, I will have to revert my opinion on that.
mod_auth_pam and mod_auth_shdow conflicts. After I removed mod_auth_pam it works
perfectly! Thanks for all help!

Note You need to log in before you can comment on or make changes to this bug.