Open gangaram-tii opened 9 months ago
aikooo7
commented
9 months ago I'm not really understanding what you mean by "wrong current password", that means you can just change the password using any password? So it is not checking if the password is correct?
gangaram-tii
commented
9 months ago Yes
felbinger
commented
5 months ago I could confirm this behavior on NixOS 24.05
nixos-discourse
commented
5 months ago This issue has been mentioned on NixOS Discourse. There might be relevant details there:
NotAShelf
commented
5 months ago I cannot confirm this behaviour on NixOS 24.11. Upon entering a wrong password, followed by a new password and the confirmation of the new password you will receive a token manipulation error.
felbinger
commented
4 months ago That's weird, because the issue still exist on my system:
sudo adduser test
echo 'test:C51.kH9wGnwHwJVRkN19' | sudo chpasswd
sudo su test
passwdChanging password for test.
Current password: NotTheRealPassword
New password: AnyThingThatFits-P0licy
Retype new password: AnyThingThatFits-P0licy
passwd: password updated successfully[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
- system: `"x86_64-linux"`
- host os: `Linux 6.8.12, NixOS, 24.11 (Vicuna), 24.11.20240616.b60ebf5`
- multi-user?: `yes`
- sandbox: `yes`
- version: `nix-env (Nix) 2.22.1`
- nixpkgs: `/nix/store/5w7nhyvrgsa81h0kyifmbl6j97hvlzh5-source`@NotAShelf Do you have anything besides the above security.pam.services.passwd.rules.password.pwquality configured?
NotAShelf
commented
4 months ago You're right, I had another PAM rule that caused an override. Removing it would cause passwd to change passwords without the old password.
I think the line responsible is
password sufficient pam_unix.so nullok yescrypt # unix (order 10200)in /etc/pam.d/passwd. Other distros have this set to required, but NixOS seems to be defaulting to sufficient since 19.05.
felbinger
commented
4 months ago @Majiir as the maintainer of the pam module, how should we proceed? Is this an actual error in the module that needs to be investigated, or have we just made a mistake in the configuration from above?
felbinger
commented
4 months ago @NotAShelf But without the pwquality pam module, the line you mentioned is also included in the /etc/pam.d/passwd. Without loading the above configuration the old password is still required, so I'm wondering why you think that this line causes the issue :thinking:
NotAShelf
commented
4 months ago My guess was kinda random, making comparisons to my Arch box and some man pages of PAM. In my testing, I got to override that sufficient with required - which lead to a different error.
Majiir
commented
4 months ago In my testing, I see passwd: password updated successfully, but the user's password does not actually change if the current password given is incorrect. So, I don't think there is an actual security problem here.
The man pages for pam_pwquality and pam_unix both recommend setting use_authtok for pam_unix. They also show in examples, but do not explicitly discuss, using the required control for pam_unix. Password checking works correctly using this config in addition to the config posted above:
security.pam.services.passwd.rules.password.unix = {
control = lib.mkForce "required";
settings.use_authtok = true;
};Is this an actual error in the module that needs to be investigated, or have we just made a mistake in the configuration from above?
I wouldn't say it's an error in the module, but it's certainly a rough edge. I'm not sure why NixOS uses sufficient for pam_unix in a few places.
A good way to make this easier for users would be to add a NixOS module (i.e. security.pam.pwquality) that sets up both rules.
Describe the bug
I am using following rules to enforce strong password. Though it enforces strong password but it allows me to change the password using wrong current password.
Steps To Reproduce
Steps to reproduce the behavior:
Expected behavior
I should not be allowed to change password using wrong current password.
Metadata
Add a :+1: reaction to issues you find important.