registry team mailing list archive

[Jessica McKellar <jessica.mckellar@xxxxxxxxx>]

I can also confirm this on 10.10, with pam-1.1.1:

$ passwd
Changing password for jesstess.
(current) UNIX password: <12345678aa>
Enter new UNIX password: <12345678bb>
Retype new UNIX password: <12345678bb>
Bad: new password must be different than the old one

You'll get this error if the first 8 characters of the old and new
passwords are the same. As mentioned in bug #549915, the diff in debian
/patches-applied/007_modules_pam_unix adds a pam_unix/obscure.c,
including:

+       if ((msg = password_check(old, new, pwdp)) != NULL)
+               return msg;
+
+       /* The traditional crypt() truncates passwords to 8 chars.  It is
+          possible to circumvent the above checks by choosing an easy
+          8-char password and adding some random characters to it...
+          Example: "password$%^&*123".  So check it again, this time
+          truncated to the maximum length.  Idea from npasswd.  --marekm */
+
+       if (on(UNIX_HASH_MASK,ctrl))
+               return NULL;  /* unlimited password length */
+
+       if (oldlen <= 8 && newlen <= 8)
+               return NULL;
+
+       new1 = strndup(new,8);
+       old1 = strndup(old,8);
+
+       msg = password_check(old1, new1, pwdp);

So it re-runs password_check on the first 8 characters of your old and
new passwords, including a check on if they're the same.

I don't know if people would prefer that UNIX_OBSCURE_CHECKS weren't set
by default in Ubuntu, or if the message returned after the second
password_check indicated that it only applied to the first 8 characters,
or some other option.

-- 
Changing long passwords causes spurious error
https://bugs.launchpad.net/bugs/356766
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for base-passwd.