4

After a series of break-in attempts, I generated new random passwords for all the users on my Ubuntu 12.04.2 LTS server running Virtualmin and then, as root, used chpasswd to change their passwords. I had a couple of user names wrong, and chpasswd detected this and correctly reported the lines with the wrong names, which I corrected.

Then I started to get feedback from the users that their passwords weren't changed...

Well, it seems that chpasswd doesn't seem to have done anything at all - but neither has it reported any sort of error, either on the command line or in any log that I found.

passwd does change passwords - but unfortunately passwd on Ubuntu doesn't seem to accept the --stdin option, so I'd have to do all the password changes by hand one at a time - for almost a hundred accounts. (And I might want to do this again at some point...)

Is chpasswd simply broken, or is there some way I can make it work? Or, is there some substitute for it?

And - should I be reporting a feature deficiency somewhere? I don't believe that "failing silently" is a good result. Perhaps there's something on my system (which uses Virtualmin for domain management but is otherwise quite vanilla) that prevents it from working - but if so, chpasswd should be able to detect this and at least say that it failed to act.

But passwd works perfectly well, so it's clearly possible to change passwords from the command line... One way or the other, it seems like an objective feature deficiency ("bug") to me - should I report it, and if so, where?

Update: stranger yet - some users are reporting their passwords are changed, and some are reporting they aren't. One user who has two accounts has one password changed, one not. I ran through the file again, checking that all the accounts were there, and then ran it through chpasswd again... same results!

I'm baffled. Ideas?

UPDATE: Here's the command line I'm now using:

cat passwords.txt | chpasswd

If I use -S - I see no output - nothing at all! So it seems to be getting nothing... but if I just cat the file:

cat passwords.txt

I get: user:password user2:hunter2 [... etc ...]

More: If I change the first line to be NONuser (an invalid user), I get a perfectly good error:

chpasswd: (user NONuser) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user NONuser) password not changed

So it is in fact reading and processing the file, at least as far as detecting non-users!

Oh, and $? is 0.

Tom Swirly
  • 271
  • 1
  • 3
  • 11
  • Try running the output to stdout instead of the password file with the -S switch -- more info will be provided on failures. Did you check the "error code" -- the value of $? ? – ubfan1 May 13 '13 at 03:21
  • Good questions - I'm adding answers in the post... – Tom Swirly May 13 '13 at 03:46
  • bug 1045786 states the -S switch does nothing, oops. I see one other question stating chpasswd doesn't work. Maybe file another bug? – ubfan1 May 13 '13 at 05:58
  • Good idea, wilco in the morning. – Tom Swirly May 13 '13 at 06:36
  • This is my first try at finding anything in the Ubuntu bug database and I failed completely. Going here: https://help.ubuntu.com/community/ReportingBugs directs you to here https://help.ubuntu.com/community/Launchpad and searching for chpasswd gives me the man page in 22 languages but no bugs. – Tom Swirly May 13 '13 at 17:20
  • The correct page to search is https://bugs.launchpad.net/ubuntu/. I worked backwards by searching for that specific bug number. There is no link to this on either the main LaunchPad page or the Reporting Bugs page(!) so I don't feel totally stupid... – Tom Swirly May 13 '13 at 17:22

1 Answers1

2

I did a lot of systematic testing here, and I no longer think this is an issue with chpasswd.

Instead, it's something to do with ftp - for some reason, ftp still had the OLD passwords, but ssh and all other secure protocols had the new ones.

I fixed it by turning off FTP. :-D I was intending to do that anyway, but I'd accidentally stopped the daemon rather than turned it off permanently (my mistake in using the Virtualmin front end).

My theory - it's an issue with either ProFTPd or Virtualmin - but I am out of time to investigate further. I'm leaving this here in the hopes that it will be useful for the next guy.

Tom Swirly
  • 271
  • 1
  • 3
  • 11