Use local system tools to change the user's password

Bug #1743558 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
Fix Committed
Low
Unassigned
landscape-client (Ubuntu)
Fix Released
Undecided
Andreas Hasenack

Bug Description

We should use the local system administration tools, like chpasswd(1), to set the user's password, instead of plain MD5 using passlib.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Maybe we should use the linux admin tools to set a user's password, instead of generating a hash of our own. That way we won't be bypassing any local password policy set by an admin, for example.

It might be a bigger task, though.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Instead of:
        result, output = self.call_popen(["usermod", "-p", crypted, username])

we could do the equivalent of

echo username:password | chpasswd

and use the clear text password. When using popen, the username:password bit won't even show up in the command line.

Changed in landscape-client:
milestone: none → 18.01
summary: - Runtime dependency on a universe package
+ Runtime dependency on a universe package: python3-passlib
Simon Poirier (simpoir)
Changed in landscape-client:
status: New → Confirmed
David Britton (dpb)
Changed in landscape-client:
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: Runtime dependency on a universe package: python3-passlib

Turns out python(2)-passlib is in main, so all we need is to invoke a component-mismatch to have python3-passlib moved to main too. This does not involve a MIR. Thanks ack for pointing that out, I hadn't realized python-passlib was in main.

We should still ditch it, though, and use chpasswd instead of an md5 hash.

Changed in landscape-client:
status: Confirmed → Won't Fix
importance: High → Low
milestone: 18.01 → backlog
summary: - Runtime dependency on a universe package: python3-passlib
+ Use local system tools to change the user's password
Changed in landscape-client:
status: Won't Fix → Triaged
assignee: Andreas Hasenack (ahasenack) → nobody
description: updated
Changed in landscape-client:
status: Triaged → Fix Committed
Changed in landscape-client (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package landscape-client - 18.01-0ubuntu1

---------------
landscape-client (18.01-0ubuntu1) bionic; urgency=medium

  * New upstream release 18.01:
    - Ported to python3 (LP: #1577850)
    - move Replaces/Breaks landscape-client-ui rules to landscape-common
      (LP: #1560424)
    - Add a libpam-systemd Depends if built for xenial (LP: #1590838)
    - Some units not reporting swift usage (LP: #1588404)
    - Fix missing install directories for landscape-common and drop
      usr/share/landscape as its only used and created by landscape-client.
      (LP: #1680842)
    - Fix VM detection for Xen, by returning "xen" only for paravirtualized and
      HVM hosts, not for dom0. (LP: #1601818)
    - Add an indication of truncation to process output that has been truncated
      prior to delivery to the server. (LP: #1629000)
    - add /snap/bin to the PATH when executing scripts. (LP: #1635634)
    - Save the original sources.list file when a repository profile is
      associated with a computer and restore it when the profile is removed.
      (LP: #1607529)
    - Drop the legacy HAService plugin, which is no longer used.
    - Avoid double-decoding package descriptions in build_skeleton_apt, which
      causes an error with Xenial python-apt. (LP: #1655395)
    - Remove dead dbus code and textmessage (confirmed not supported in server
      for ~2 years). (LP: #1657372)
    - Move bzr-builddeb conf file from deprecated location to debian/
      (LP: #1658796)
    - Support for new server error message about there being too many pending
      computers already (LP: #1662530)
    - Add a timestamp to the package reporter result (LP: #1674252)
    - Check if ubuntu-release-upgrader is running before apt-update (LP: #1699179)
    - Implicitly trust file-local sources managed by landscape. On upgrades,
      add the trusted flag to the landscape file-local apt source file if it's
      not there. (LP: #1736576)
    - Use local system tools to change the user's password (LP: #1743558)
  * clean up packaging and getting in sync with the new landscape version:
    - d/rules: drop extra:suggests which is unused since 13.07.1-0ubuntu2
    - Remove antique postinst code. No supported landscape-client version
      installs cronjobs anymore (since a long time).
    - d/landscape-client.docs: the README file is now a markdown file, so
      install that instead.
    - d/landscape-common.postinst: no need to single out
      /var/lib/landscape/.gnupg when fixing ownerships, just do it over
      the entire parent directory.
    - guard user and group removal via an empty .cleanup.* file in post, so we
      only remove the user/group if we were the ones who created them at
      install time.
    - lintian: remove absolute path from update-motd calls in maintainer
      scripts
    - d/rules: drop special handling for dapper, hardy and lucid, which are no
      longer supported.
    - d/rules: make sure we have an "extra:Depends=" in substvars even if it's
      empty
    - d/rules: drop dh_pycentral handling, it's obsolete
  * Dropped (already included in this version):
    - d/p/set-vm-info-to-kvm-for-aws-C5-instances.patch:
  ...

Read more...

Changed in landscape-client (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.