Ubuntu
shadow package

chpasswd can't change password with libpam-passwdqc enabled

Bug #1904166 reported by EOLE team
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hello.

We are unable to change user password using chpasswd with libpam-passwdqc, it seems to miss detect old password:

    root@server:~# echo 'root:hearth=mirth-Double' | chpasswd
    […]
    Weak password: is the same as the old one.
    Try again.

    root@server:~# echo $?
    1

I tried the following to make sure the old password was not the same:

    root@server:~# echo 'root:foo' | chpasswd -c SHA512
    root@server:~# echo 'root:hearth=mirth-Double' | chpasswd
    […]
    Weak password: is the same as the old one.
    Try again.

    root@server:~# echo $?
    1

Tags: focal
Revision history for this message
EOLE team (eole-team) wrote :

It may be due to the libpam-passwdqc configuration using ask_oldauthtok and similar=deny.

It was working fine on Bionic but fails with Focal.

Revision history for this message
EOLE team (eole-team) wrote :

The solution is to provide a dedicated pam configuration for chpasswd without the ask_oldauthtok option.

Revision history for this message
EOLE team (eole-team) wrote :

To reproduce:

    apt install libpam-passwdqc
    sed -i -e 's/\(pam_passwdqc.so\)/\1 ask_oldauthtok/' /etc/pam.d/common-password
    echo 'root:hearth=mirth-Double' | chpasswd

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.