Package: libpam-krb5 Version: 3.15-1 Severity: important
Changing password (through chpasswd) is broken with libpam-krb5 3.15-1: # echo "root:foobar2009" | chpasswd chpasswd: (user root) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user root) password not changed # dpkg --list libpam\* | grep '^ii' ii libpam-chroot 0.9-3 Chroot Pluggable Authentication Module for PAM ii libpam-devperm 1.6-1 PAM module to change device ownership on login ii libpam-dotfile 0.7-4 A PAM module which allows users to have more t ii libpam-krb5 3.15-1 PAM module for MIT Kerberos ii libpam-modules 1.1.0-3 Pluggable Authentication Modules for PAM ii libpam-ncp 2.2.6-6 PAM module allowing authentication from a NetW ii libpam-runtime 1.1.0-3 Runtime support for the PAM library ii libpam-smbpass 2:3.4.0-4 pluggable authentication module for Samba ii libpam-ssh 1.92-8 Single sign-on via private SSH key ii libpam-thinkfinger 0.3-2 PAM module for the STMicroelectronics fingerpr ii libpam-tmpdir 0.08-1 automatic per-user temporary directories ii libpam-usb 0.4.2-1 PAM module for authentication with removable U ii libpam0g 1.1.0-3 Pluggable Authentication Modules library When removing libpam-krb5 it works: # apt-get --purge remove libpam-krb5 [...] # echo "root:foobar2009" | chpasswd # Config *before* removing libpam-krb5: ,---- [ cat /etc/pam.d/passwd /etc/pam.d/common-passwd ] | # | # The PAM configuration file for the Shadow `passwd' service | # | | @include common-password | | # | # /etc/pam.d/common-password - password-related modules common to all services | # | # This file is included from other service-specific PAM config files, | # and should contain a list of modules that define the services to be | # used to change user passwords. The default is pam_unix. | | # Explanation of pam_unix options: | # | # The "sha512" option enables salted SHA512 passwords. Without this option, | # the default is Unix crypt. Prior releases used the option "md5". | # | # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in | # login.defs. | # | # See the pam_unix manpage for other options. | | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | # To take advantage of this, it is recommended that you configure any | # local modules either before or after the default block, and use | # pam-auth-update to manage selection of other modules. See | # pam-auth-update(8) for details. | | # here are the per-package modules (the "Primary" block) | password requisite pam_krb5.so minimum_uid=1000 | password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 | # here's the fallback if no module succeeds | password requisite pam_deny.so | # prime the stack with a positive return value if there isn't one already; | # this avoids us returning an error just because nothing sets a success code | # since the modules above will each just jump around | password required pam_permit.so | # and here are more per-package modules (the "Additional" block) | password optional pam_smbpass.so nullok use_authtok use_first_pass | password optional pam_ecryptfs.so | # end of pam-auth-update config `---- Config *after* removing libpam-krb5: ,---- [ cat /etc/pam.d/passwd /etc/pam.d/common-passwd ] | # The PAM configuration file for the Shadow `passwd' service | # | | @include common-password | | # | # /etc/pam.d/common-password - password-related modules common to all services | # | # This file is included from other service-specific PAM config files, | # and should contain a list of modules that define the services to be | # used to change user passwords. The default is pam_unix. | | # Explanation of pam_unix options: | # | # The "sha512" option enables salted SHA512 passwords. Without this option, | # the default is Unix crypt. Prior releases used the option "md5". | # | # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in | # login.defs. | # | # See the pam_unix manpage for other options. | | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | # To take advantage of this, it is recommended that you configure any | # local modules either before or after the default block, and use | # pam-auth-update to manage selection of other modules. See | # pam-auth-update(8) for details. | | # here are the per-package modules (the "Primary" block) | password [success=1 default=ignore] pam_unix.so obscure sha512 | # here's the fallback if no module succeeds | password requisite pam_deny.so | # prime the stack with a positive return value if there isn't one already; | # this avoids us returning an error just because nothing sets a success code | # since the modules above will each just jump around | password required pam_permit.so | # and here are more per-package modules (the "Additional" block) | password optional pam_smbpass.so nullok use_authtok use_first_pass | password optional pam_ecryptfs.so | # end of pam-auth-update config `---- This is a plain and fresh Debian system (to be more precise: grml live system, deployed via FAI), I can easily reproduce this issue and if it helps could provide you an affected live system/ISO as well. thx && regards, -mika- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
