Re: password mismatch
From: Fredderic (ciredderf_at_sumirpi.is_backwards_at.com.au)
Date: Sat, 18 Oct 2003 01:26:30 +1000
On Thu, 16 Oct 2003 05:26:05 -0700, Robert E A Harvey wrote:
>> I took a look at the password file, and noted something rather odd. The
>> existing account passwords all had hi-ascii characters in them, but the
>> one I'd just set with passwd did not. In the end I just copy'n'paste'd
>> his user account password over his root password, so he could at least use
>> it. But he still can't figure out how to change his account passwords.
> I'm more used to seeing a * in there, and the password in the shadow.
> AFAIK pasing another encrypted password should not work, as the
> encryption includes the username.
I generally assume most people consider the passwd and shadow files to be
one and the same... Perhaps I should have been a little more precise.
As for cut'n'paste not working, I was under the belief that it was simply
a one-way-hash of the password, modified by a random key.
> There are a number of ways that 'passwd' can fail - the executable can
> not be setUID to root, the permissions on /etc/passwd and /etc/shadow
> can be wrong. But I would not expect the process to work without
> error messages in that case.
It worked all right. Replaced the password with a new one that looked
just fine. In fact, it looked more "correct" than the ones that were
> It sounds like the system doesn't know what sort of security it is
> using - it is falling between pam and extended passwords and kerberos
> or something like that. Frankly, it will need a lot of unpicking,
> reading of man pages, and the like.
So are you saying that high-ascii characters are not being allowed in
passwords? Or is it another password scheme from the standard Unix PAM?
> Still, if he isn't on line then security is not very important to
I agree... It's just a bit of a concern that the system can get into such
a state in the first place. I'd have thought that the generated password
would contain enough information that no matter which module had generated
it, the same module would be used to verify it.