Cannot change user passwords

K

koudou

Verified User
Joined
Oct 13, 2003
Messages
54
I moved users from an old server to a new one by saving all users and restoring on the new one.

Everything looks fine, except I cannot change the users passwords.

In DA as admin, I can request the change, but it always answers with an error.
DA says : "Error changing password"

Error log says :
[notice] caught SIGTERM, shutting down
[notice] SSL FIPS mode disabled
[warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] SSL FIPS mode disabled
[warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[notice] Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0-fips DAV/2 PHP/5.2.17 configured -- resuming normal operations


I can change manually passwords in /etc/shadow and it works

Any suggestion ?

Michel
 
Result of debug

This is the result of debug (I juste replace the real ip by 99.99.99.99 for security reason : I have in this moment brute force attacks)

I am a little bit surprised as it checks file /usr/bin/passwd (not existing) and never goes to /etc/shadow where the password is.
In fact, I do not know exactly what directadmin should do.

My first thought was
-read shadow,
-replace password in user line
-write the file
where am I wrong ?


====================



Sockets::handshake - begin
Sockets::handshake - end
/CMD_USER_PASSWD
0: Accept-Encoding: gzip, deflate
1: Accept-Language: en-us,en;q=0.7,fr-fr;q=0.3
2: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3: Connection: keep-alive
4: Content-Length: 53
5: Content-Type: application/x-www-form-urlencoded
6: Cookie: wordpress_polylang=en; __utma=45944621.1495621769.1343316726.1343316726.1343316726.1; __utmz=45944621.1343316726.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=45944621; session=OH5pqF0C7eUoNjtkigmwH2tl30e2XcuwszlgCkqIOL6l2xTkdFevFYeGYIG5sAzi
7: Host: 99.99.99.99:2222
8: Referer: https://99.99.99.99:2222/HTM_USER_PASSWD
9: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0.1
Post string: username=essaiml&passwd=Nfakepass1&passwd2=Nfakepass1
Checking referer https://99.99.99.99:2222/HTM_USER_PASSWD to 99.99.99.99:2222
Referer check passed: 99.99.99.99=99.99.99.99 2222=2222
Command::doCommand(/CMD_USER_PASSWD)
executeAsUser('/usr/local/bin/php', 512, diradmin, 1, '<?php

/*
This script is to enforce a level of password difficulty that users must use.
You can change the minimum length if you wish, the default is 6.
The requirement for special characters is disabled by default.

To disable any function, simply add // in front of its call below.
To enable any disabled function, remove the // from in front of its call.
Do this at the FUNCTION CALL section of the script:

*/


$min_length = 6;
$pass = getenv("password");
$random_password_length = getenv("random_password_length");

if ($random_password_length < $min_length)
{
$min_length = $random_password_length;
}


//FUNCTION CALL section

check_length($pass);
enforce_mixed_case($pass);
enforce_numbers($pass);
//enforce_shift_chars($pass);

//FUNCTION CALL section, end

//passes the test
echo "Password OK\n";

exit(0);


function enforce_shift_chars($str)
{
if (!has_shift_chars($str))
{
echo "Password must have at least one special character such as !@#%$ etc..\n";
exit(3);
}
}

function enforce_numbers($str)
{
if (!has_numbers($str))
{
echo "Password must have numbers\n";
exit(2);
}
}

function enforce_mixed_case($str)
{
if (!has_caps($str) || !has_lower_case($str))
{
echo "Password must have both upper and lower case characters\n";
exit(2);
}
}

function check_length($str)
{
global $min_length;
if (strlen($str) < $min_length)
{
echo "Password is too short. Use at least $min_length characters\n";
exit(1);
}
}

function has_shift_chars($str)
{
//return ereg("[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+", $str);
return preg_match("/[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+/", $str);
}

function has_numbers($str)
{
//return ereg("[0-9]+", $str);
return preg_match("/[0-9]+/", $str);
}

function has_caps($str)
{
//return ereg("[A-Z]+", $str);
return preg_match("/[A-Z]+/", $str);
}

function has_lower_case($str)
{
//return ereg("[a-z]+", $str);
return preg_match("/[a-z]+/", $str);
}

exit(0);

?>
', int *child_pid, *snd, group=(null)) uid=497 gid=497
sh: /usr/bin/passwd: No such file or directory
Database::connect 0
Database::connect 0.5 - da_admin : 95IcnsXn
Database::connect 1
Database::connect 5
executeAsUser('/usr/local/bin/php', 512, diradmin, 1, '<?php

/*
This script is to enforce a level of password difficulty that users must use.
You can change the minimum length if you wish, the default is 6.
The requirement for special characters is disabled by default.

To disable any function, simply add // in front of its call below.
To enable any disabled function, remove the // from in front of its call.
Do this at the FUNCTION CALL section of the script:

*/


$min_length = 6;
$pass = getenv("password");
$random_password_length = getenv("random_password_length");

if ($random_password_length < $min_length)
{
$min_length = $random_password_length;
}


//FUNCTION CALL section

check_length($pass);
enforce_mixed_case($pass);
enforce_numbers($pass);
//enforce_shift_chars($pass);

//FUNCTION CALL section, end

//passes the test
echo "Password OK\n";

exit(0);


function enforce_shift_chars($str)
{
if (!has_shift_chars($str))
{
echo "Password must have at least one special character such as !@#%$ etc..\n";
exit(3);
}
}

function enforce_numbers($str)
{
if (!has_numbers($str))
{
echo "Password must have numbers\n";
exit(2);
}
}

function enforce_mixed_case($str)
{
if (!has_caps($str) || !has_lower_case($str))
{
echo "Password must have both upper and lower case characters\n";
exit(2);
}
}

function check_length($str)
{
global $min_length;
if (strlen($str) < $min_length)
{
echo "Password is too short. Use at least $min_length characters\n";
exit(1);
}
}

function has_shift_chars($str)
{
//return ereg("[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+", $str);
return preg_match("/[\~\!\@\#\$\%\^\&\*\(\)\-\=\_\+\{\}\:\;\|\<\>\,\.\?\/]+/", $str);
}

function has_numbers($str)
{
//return ereg("[0-9]+", $str);
return preg_match("/[0-9]+/", $str);
}

function has_caps($str)
{
//return ereg("[A-Z]+", $str);
return preg_match("/[A-Z]+/", $str);
}

function has_lower_case($str)
{
//return ereg("[a-z]+", $str);
return preg_match("/[a-z]+/", $str);
}

exit(0);

?>
', int *child_pid, *snd, group=(null)) uid=497 gid=497
Command::doCommand(/CMD_USER_PASSWD) : finished
Command::run: finished /CMD_USER_PASSWD
 
/usr/bin/passwd is the link to the passwd program, not the password list. You need to find the location of your passwd program and link to it from /usr/bin/passwd.

What OS Distribution and version are you using? I ask because DirectAdmin should know where your passwd program is.

Jeff
 
passwd

Hi Jeff,

Thank you for your answer

I found passwd in /etc/passwd with a whereis

OS distribution is Centos 6.0 64b and directadmin is automatically updated (last update july 4th server version 1.40.1

I linked /usr/bin/passwd to /etc/passwd with

ln /etc/passwd /usr/bin/passwd

I still have the same error (even when restarting : service directadmin restart ) because /usr/bin/passwd is permission denied :

sh: /usr/bin/passwd: Permission denied

The permissions of /etc/passwd are
-rw-r--r-- 2 root root 2079 27 juil. 16:40 passwd

/etc/passwd does not looks a program
It looks a text file with one line per user. The user I have created to make investigation has its line :
essaiml:x:524:526::/home/essaiml:/bin/false

no idea of what this means ...
 
My actual password file is not in /etc/passwd but in /etc/shadow

there is no passwd file in /usr/bin/

I upgraded the system to Centos 6.3 and Directadmin to 1.41.1 but still the same...

I do not understand what is wrong ...

For the moment, when a user wants to change password, I cannot use Directadmin : I crypt the password an replace it directly into shadow. This is not very convenient, but hopefully, they do not want to change password every week.
 
The passwd command is different from the actual file that stores the passwords or username settings. Anything in /etc is a config and not a binary file. If /usr/bin/passwd is missing on your server then something is definately wrong.

You might need to do something like:

Code: 
yum reinstall passwd
 
Let's try the reply over again:

/etc/passwd is the historical passwd file, readable by everyone. For security, most distributions have moved the passwords themselves to /etc/shadow, but you still need the usernames in both files, and both files in the correct format.

It appears you're not finding the binary file that changes passwords. User scsi suggests reinstalling it. If that doesn't work, try installing it.

Jeff
 
You must log in or register to reply here.
Back
Top