NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/58005: passwd always errors out; cannot change passwords anymore
The following reply was made to PR bin/58005; it has been noted by GNATS.
From: Michael Cheponis <michael.cheponis%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: bin/58005: passwd always errors out; cannot change passwords anymore
Date: Sat, 9 Mar 2024 13:26:25 -0800
--00000000000020423b061340f85d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
THANK YOU, Robert, Michael, Martin.
I did not see the suggestion to run: pwd_mkdb /etc/master.passwd
until today.
After doing that, everything works! So thank you. With the config.conf:
default:
localcipher =3D sha1
ypcipher =3D sha1
There is still some weirdness, side-effect, tho, because:
# diff -b spwd.db spwd.db.new (that was the one when the trouble started=
)
(no difference) !
So it would seem as if pwd_mkdb has some additional side effect(s) besides
writing a new spwd.db ?
Also:
# ll /usr/lib/libkrb5*
/etc
-r--r--r-- 1 root wheel 1128816 Feb 27 05:27 /usr/lib/libkrb5.a
lrwxr-xr-x 1 root wheel 15 Jan 16 08:28 /usr/lib/libkrb5.so@ ->
libkrb5.so.28.0
lrwxr-xr-x 1 root wheel 15 Aug 4 2022 /usr/lib/libkrb5.so.27@ ->
libkrb5.so.27.0
-r--r--r-- 1 root wheel 651248 Aug 4 2022 /usr/lib/libkrb5.so.27.0
lrwxr-xr-x 1 root wheel 15 Jan 16 08:28 /usr/lib/libkrb5.so.28@ ->
libkrb5.so.28.0
-r--r--r-- 1 root wheel 654432 Jan 16 08:28 /usr/lib/libkrb5.so.28.0
-r--r--r-- 1 root wheel 1169598 Feb 27 05:27 /usr/lib/libkrb5_p.a
So it seems like sysupgrade did the right thing.
Except... when passwd.conf is:
default:
localcipher =3D argon2id
ypcipher =3D old
and I run
pwd_mkdb /etc/master.passwd
I get this error from passwd again:
Couldn't generate salt.
Unable to change auth token: Error in service module
Obv with the 'sha1' cipher, all seems ok.
Not sure if this is worth more effort?
Thank you,
Mike
On Sat, Mar 9, 2024 at 5:35=E2=80=AFAM Michael van Elst <mlelstv%serpens.de@localhost=
> wrote:
> The following reply was made to PR bin/58005; it has been noted by GNATS.
>
> From: mlelstv%serpens.de@localhost (Michael van Elst)
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: bin/58005: passwd always errors out; cannot change passwords
> anymore
> Date: Sat, 9 Mar 2024 13:32:04 -0000 (UTC)
>
> martin%duskware.de@localhost (Martin Husemann) writes:
>
> > I am not sure if sha1 is useable for your NIS setup (or if that is
> involved
> > at all).
>
> NIS itself doesn't care, it stores the password hash as a string
> and doesn't interpret it except for splitting a passwd line by colon
> characters.
>
> But programs from the NIS era often try to compute and match hashes
> themselves, and these fail to understand anything but the legacy
> hash format.
>
>
--00000000000020423b061340f85d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small">THANK YOU, Robert, Michael, Martin.</di=
v><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-se=
rif;font-size:small"><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:arial,helvetica,sans-serif;font-size:small">I did not see the suggest=
ion to run:=C2=A0<span style=3D"font-family:Arial,Helvetica,sans-serif">pwd=
_mkdb /etc/master.passwd</span></div><div class=3D"gmail_default" style=3D"=
font-family:arial,helvetica,sans-serif;font-size:small"><span style=3D"font=
-family:Arial,Helvetica,sans-serif">until today.</span></div><div class=3D"=
gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:sm=
all"><span style=3D"font-family:Arial,Helvetica,sans-serif"><br></span></di=
v><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-se=
rif;font-size:small"><span style=3D"font-family:Arial,Helvetica,sans-serif"=
>After doing that, everything works!=C2=A0 So thank you.=C2=A0 With the con=
fig.conf:</span></div><div class=3D"gmail_default" style=3D"font-family:ari=
al,helvetica,sans-serif;font-size:small">default:<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 localcipher =3D sha1<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 ypcipher =3D sha=
1<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetic=
a,sans-serif;font-size:small"><span style=3D"font-family:Arial,Helvetica,sa=
ns-serif"><br></span></div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,helvetica,sans-serif;font-size:small"><span style=3D"font-family:Ar=
ial,Helvetica,sans-serif">There is still some weirdness, side-effect, tho, =
because:</span></div><div class=3D"gmail_default" style=3D"font-family:aria=
l,helvetica,sans-serif;font-size:small"><span style=3D"font-family:Arial,He=
lvetica,sans-serif"><br></span></div><div class=3D"gmail_default" style=3D"=
font-family:arial,helvetica,sans-serif;font-size:small"><span style=3D"font=
-family:Arial,Helvetica,sans-serif"># diff -b spwd.db spwd.db.new=C2=A0 =C2=
=A0 (that was the one when the trouble started)</span></div><div class=3D"g=
mail_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:sma=
ll"><span style=3D"font-family:Arial,Helvetica,sans-serif">(no difference) =
!</span></div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif;font-size:small"><span style=3D"font-family:Arial,Helvetica=
,sans-serif"><br></span></div><div class=3D"gmail_default" style=3D"font-fa=
mily:arial,helvetica,sans-serif;font-size:small"><span style=3D"font-family=
:Arial,Helvetica,sans-serif">So it would seem as if pwd_mkdb has some addit=
ional side effect(s) besides writing a new spwd.db ?</span></div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small"><span style=3D"font-family:Arial,Helvetica,sans-serif"><br></span>=
</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small"><span style=3D"font-family:Arial,Helvetica,sans-se=
rif"><br></span></div><div class=3D"gmail_default" style=3D"font-family:ari=
al,helvetica,sans-serif;font-size:small"><span style=3D"font-family:Arial,H=
elvetica,sans-serif">Also:</span></div><div class=3D"gmail_default" style=
=3D"font-size:small"><font face=3D"arial, helvetica, sans-serif"># ll /usr/=
lib/libkrb5* =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0/etc</font><br><font face=3D"monospace">-r--r--r-- =
=C2=A01 root =C2=A0wheel =C2=A01128816 Feb 27 05:27 /usr/lib/libkrb5.a<br>l=
rwxr-xr-x =C2=A01 root =C2=A0wheel =C2=A0 =C2=A0 =C2=A0 15 Jan 16 08:28 /us=
r/lib/libkrb5.so@ -> libkrb5.so.28.0<br>lrwxr-xr-x =C2=A01 root =C2=A0wh=
eel =C2=A0 =C2=A0 =C2=A0 15 Aug =C2=A04 =C2=A02022 /usr/lib/libkrb5.so.27@ =
-> libkrb5.so.27.0<br>-r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0 651248 =
Aug =C2=A04 =C2=A02022 /usr/lib/libkrb5.so.27.0<br>lrwxr-xr-x =C2=A01 root =
=C2=A0wheel =C2=A0 =C2=A0 =C2=A0 15 Jan 16 08:28 /usr/lib/libkrb5.so.28@ -&=
gt; libkrb5.so.28.0<br>-r--r--r-- =C2=A01 root =C2=A0wheel =C2=A0 654432 Ja=
n 16 08:28 /usr/lib/libkrb5.so.28.0<br>-r--r--r-- =C2=A01 root =C2=A0wheel =
=C2=A01169598 Feb 27 05:27 /usr/lib/libkrb5_p.a</font><br></div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,=
helvetica,sans-serif;font-size:small">So it seems like sysupgrade did the r=
ight thing.</div><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small"><br></div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;font-size:small">Except... =
when passwd.conf is:</div><div class=3D"gmail_default" style=3D"font-family=
:arial,helvetica,sans-serif;font-size:small"><br></div><div class=3D"gmail_=
default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small">d=
efault:<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 localcipher =3D argon2id<br>=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 ypcipher =3D old<br></div><div class=3D"gmail_default"=
style=3D"font-family:arial,helvetica,sans-serif;font-size:small"><br></div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small">and I run=C2=A0</div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small"><span style=3D"=
font-family:Arial,Helvetica,sans-serif">pwd_mkdb /etc/master.passwd</span><=
br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,=
sans-serif;font-size:small"><span style=3D"font-family:Arial,Helvetica,sans=
-serif"><br></span></div><div class=3D"gmail_default" style=3D"font-family:=
arial,helvetica,sans-serif;font-size:small">I get this error from passwd ag=
ain:</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small">Couldn't generate salt.<br>Unable to chang=
e auth token: Error in service module<br></div><div class=3D"gmail_default"=
style=3D"font-family:arial,helvetica,sans-serif;font-size:small"><br></div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small"><span style=3D"font-family:Arial,Helvetica,sans-serif">=
<br></span></div><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small"><span style=3D"font-family:Arial,Helvet=
ica,sans-serif">Obv with the 'sha1' cipher, all seems ok.</span></d=
iv><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-s=
erif;font-size:small"><span style=3D"font-family:Arial,Helvetica,sans-serif=
"><br></span></div><div class=3D"gmail_default" style=3D"font-family:arial,=
helvetica,sans-serif;font-size:small"><span style=3D"font-family:Arial,Helv=
etica,sans-serif">Not sure if this is worth more effort?</span></div><div c=
lass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font=
-size:small"><span style=3D"font-family:Arial,Helvetica,sans-serif"><br></s=
pan></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small"><span style=3D"font-family:Arial,Helvetica,san=
s-serif">Thank you,</span></div><div class=3D"gmail_default" style=3D"font-=
family:arial,helvetica,sans-serif;font-size:small"><span style=3D"font-fami=
ly:Arial,Helvetica,sans-serif">Mike</span></div><div class=3D"gmail_default=
" style=3D"font-family:arial,helvetica,sans-serif;font-size:small"><span st=
yle=3D"font-family:Arial,Helvetica,sans-serif"><br></span></div><br></div><=
br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat,=
Mar 9, 2024 at 5:35=E2=80=AFAM Michael van Elst <<a href=3D"mailto:mlel=
stv%serpens.de@localhost">mlelstv%serpens.de@localhost</a>> wrote:<br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">The following reply was made to PR bin/58=
005; it has been noted by GNATS.<br>
<br>
From: <a href=3D"mailto:mlelstv%serpens.de@localhost"; target=3D"_blank">mlelstv@serpe=
ns.de</a> (Michael van Elst)<br>
To: <a href=3D"mailto:gnats-bugs%netbsd.org@localhost"; target=3D"_blank">gnats-bugs@n=
etbsd.org</a><br>
Cc: <br>
Subject: Re: bin/58005: passwd always errors out; cannot change passwords a=
nymore<br>
Date: Sat, 9 Mar 2024 13:32:04 -0000 (UTC)<br>
<br>
=C2=A0<a href=3D"mailto:martin%duskware.de@localhost"; target=3D"_blank">martin@duskwa=
re.de</a> (Martin Husemann) writes:<br>
<br>
=C2=A0> I am not sure if sha1 is useable for your NIS setup (or if that =
is involved<br>
=C2=A0> at all).<br>
<br>
=C2=A0NIS itself doesn't care, it stores the password hash as a string<=
br>
=C2=A0and doesn't interpret it except for splitting a passwd line by co=
lon<br>
=C2=A0characters.<br>
<br>
=C2=A0But programs from the NIS era often try to compute and match hashes<b=
r>
=C2=A0themselves, and these fail to understand anything but the legacy<br>
=C2=A0hash format.<br>
<br>
</blockquote></div>
--00000000000020423b061340f85d--
Home |
Main Index |
Thread Index |
Old Index