NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/58005: passwd always errors out; cannot change passwords anymore



My only guess would be, then: is my /etc/passwd.conf somehow getting bypassed or not seen?

# ll pass* 
-rw-r--r--  1 root  wheel  1629 Mar  4 06:59 passwd
-rw-r--r--  1 root  wheel   162 Jan 16 08:28 passwd.conf

# ll pwd.db 
-rw-r--r--  1 root  wheel  40960 Mar  4 06:59 pwd.db

# ll spwd.db
-rw-------  1 root  wheel  40960 Mar  4 07:02 spwd.db

I changed passwd.conf to the old. original passwd.conf  (using sha1).  passwd reported:

# passwd root
Unable to update password entry: /etc/master.passwd: entry root inconsistent gecos
Unable to change auth token: Error in service module


( I didn't accept all changes, in fact, getting the password stuff was where I was most careful.  I ultimately said leave it along, I'll manually fix it - which I did post-upgrade.
Since it was manually done, sure, there's a good possibility of phat fingering something. )


Do you have any suggestions as to how to fix this?

Thank you,
Mike Cheponis



On Fri, Mar 8, 2024 at 2:40 AM Michael van Elst <mlelstv%serpens.de@localhost> wrote:
The following reply was made to PR bin/58005; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: bin/58005: passwd always errors out; cannot change passwords anymore
Date: Fri, 8 Mar 2024 10:35:42 -0000 (UTC)

 michael.cheponis%gmail.com@localhost (Michael Cheponis) writes:

 >default:
 >        localcipher = argon2id
 >        ypcipher = old


 >cat /usr/mac/SS/root/etc/passwd.conf    <--- Where the very old saved /etc
 >is.
 >default:
 >  localcipher = sha1
 >  ypcipher = sha1


 >Do I need to change the passwd.conf so ypcipher = argon2id ?

 That depends on what you want to get.

 ypcipher is used for NIS, and for compatibility with ancient
 systems that still use NIS, this is configured as "old", meaning
 the traditional DES encryption without tagging.

 In any case, neither would have caused the reported error. The
 pw_gensalt() function that failed supports:

 static const struct pw_salt {
         const char *name;
         int (*gensalt)(char *, size_t, const char *);
 } salts[] = {
         { "old", __gensalt_old },
         { "new", __gensalt_new },
         { "newsalt", __gensalt_new },
         { "md5", __gensalt_md5 },
         { "sha1", __gensalt_sha1 },
         { "blowfish", __gensalt_blowfish },
 #ifdef HAVE_ARGON2
         /* argon2 default to argon2id */
         { "argon2", __gensalt_argon2id},
         { "argon2id", __gensalt_argon2id},
         { "argon2i", __gensalt_argon2i},
         { "argon2d", __gensalt_argon2d},
 #endif /* HAVE_ARGON2 */
         { NULL, NULL }
 };

 If the configured salt method doesn't match anything, you get
 exactly the reported error.


 >Just to emphasize, this must have been changed by sysupdate when I went
 >from _RC3 to _RC5

 If the update changed such things, you must have either unpacked the
 etc.tgz set directly, or run etcupdate and accept the corresponding
 (or all) changes.

 But again, the reported passwd.conf content doesn't produce that
 error. "argon2id", "old" and "sha1" are all known salt methods.





Home | Main Index | Thread Index | Old Index