How does an administrator reset the password of a user that cannot remember her password? I used to just manually edit master.passwd when I (frequently) had to do this. This no longer works, and I don't like doing it that way anyway. If (as root) I `passwd user` I am prompted for the current password. Since I don't know it, I cannot set a new password.

Two things sound strange. Passwords are not written verbatim in master.passwd, so changing it there should never work. Second, as root you should be able to change any password, without being asked for the old one. Passwords are never deciphered. They are written in ciphered form, and user password when entered is also ciphered before comparison to stored password. Also, user password is not the only one which could work (give correct ciphered form), but such sequences are reasonably rare, and it is not easy to get one from ciphered form, but ciphered forms should't be exposed anyway.

I don't know when this started; but as root, I do always get asked for the old password, which doesn't make sense to me. I ended up reverting to editing master.passwd, and copying the hash from an account with a known password, to the account with the unknown password. Then I was able to enter the "old password" (the one from the other account) so I could set a new temporary password. This is NetBSD 10.0, I should've mentioned that earlier. GENERIC amd64. I have not built my own kernel since upgrading to 10.0, so it is still genuinely the "GENERIC" (GENERIC64?) one. Once upon a time, I could use pwhash to give me an encoded string to put in master.passwd. I don't know how long ago I could do that, but I cannot anymore. I don't recognise the output of pwhash anymore. `$argon2id$v` et cetera.

Did you edit passwd with `# vipw` ?

@"Jay"#p18115 I don't think I've ever used that. For what it's worth, master.passwd might well be descended directly from the shadow file I used since Solaris 8, copied to the first machine I ran NetBSD on (5.0), and never replaced since.

@"kc9udx"#p18114 chpass should also allow to change password of user from root

@"kc9udx"#p18116 it is similar to visudo. You can edit passwd file with that.

Reset user's password

kc9udx

Jay
But that just gives a hash; deleting which still leads me to an "old password" that I can't enter.

Jay
What is the advantage?

Jay

kc9udx https://www.netbsd.org/docs/guide/en/netbsd.html#chap-boot-shadow-passwords

kc9udx

Jay so aside from the semaphoring, pwd_mkdb being run is the difference. I don't know why, but I've never needed that: any changes I make seem immediate. Perhaps cd /var/yp && make causes this also?

Mind you, for a long time, I normally use usermod except to brute-force change passwords as above.

rvp

kc9udx If (as root) I passwd user I am prompted for the current password.

Hmm. The only way I can see this happening is if your password database is messed up: there's more than one root user with other UIDs, for instance.

What does this command when run as root show?

id

What I would suggest is:

rm -v /etc/pwd.db /etc/spwd.db
run vipw
get rid of any hinky-looking entries.
save and exit.

That'll rebuild a clean database.

kc9udx

# id uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)

~~Well, I'll do that, and try again.~~

No dice. I still get prompted for "Old Password".

rvp

kc9udx

Post the output of these commands:

ls -l /etc/master.passwd /etc/passwd /etc/group /etc/pwd.db /etc/spwd.db
ls -l /usr/bin/passwd
cat /etc/nsswitch.conf
find /usr/lib -name *nss_*so*

Can you check your /etc/master.passwd against this one. See if you have the same no. of fields with the same values (not the passwords or full names, obviously)
Compare your /etc/master.passwd against /etc/passwd and /etc/group. Make sure that passwd and master.passwd match up.

Run this command as root. Don't enter any password--press ENTER--let the command exit. Compress and post the ktrace.out file.

ktrace -di -f /tmp/ktrace.out passwd

kc9udx

rvp
l.

# ls -l /etc/master.passwd /etc/passwd /etc/group /etc/pwd.db /etc/spwd.db
-rw-r--r--  1 root  wheel    821 Mar  6  2024 /etc/group
-rw-------  1 root  wheel   3516 Oct 23 15:50 /etc/master.passwd
-rw-r--r--  1 root  wheel   2661 Oct 23 15:50 /etc/passwd
-rw-r--r--  1 root  wheel  40960 Oct 23 15:50 /etc/pwd.db
-rw-------  1 root  wheel  40960 Oct 23 15:50 /etc/spwd.db
# ls -l /usr/bin/passwd
-r-sr-xr-x  2 root  wheel  38224 Mar 28  2024 /usr/bin/passwd
# cat /etc/nsswitch.conf
#       $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna Exp $
#
# nsswitch.conf(5) -
#       name service switch configuration file
#


# These are the defaults in libc
#
#group:         compat 
#group_compat:  nis
group:          files 
hosts:          files dns
netgroup:       files [notfound=return] 
networks:       files
#passwd:                compat
#passwd_compat: nis
passwd:         files 
shells:         files


# List of supported sources for each database
#
# group:                compat, dns, files, nis
# group_compat:         dns, nis
# hosts:                dns, files, nis, mdnsd, multicast_dns
# netgroup:             files, nis
# networks:             dns, files, nis
# passwd:               compat, dns, files, nis
# passwd_compat:        dns, nis
# shells:               dns, files, nis
# find /usr/lib -name *nss_*so*
/usr/lib/nss_mdnsd.so.0
/usr/lib/nss_multicast_dns.so.0

As far as I can tell.
I'm not sure what to check in /etc/group but it looks sane; passwd vs master.passwd checked out, but I have now gone as far as renaming passwd and letting vipw create it.
Termbin

rvp

kc9udx

can you restore the default /etc/nsswitch.conf
is any domainname= set in /etc/rc.conf? (yes, I think)
is a NIS/YP server running? (also yes, it looks like)

Are 2. and 3. needed?

kc9udx

rvp 1. I don't think so; since this is a NIS server; wouldn't the way it is now be correct for that?

Yes
This is the NIS master server for this LAN. I have a slave server but it is long-term offline.

rvp

kc9udx 1. I don't think so; since this is a NIS server; wouldn't the way it is now be correct for that?

Ah, OK, but the default file should also work fine, I think, with programs then just connecting to localhost.

kc9udx 3. This is the NIS master server for this LAN.

OK. I don't know much about NIS (except that it stands for Yellow Pee--seriously: see HISTORY), but, it seems to me that root should be asked for their current password when changing any password on the local system via NIS; and that this should not be allowed at all when root is on a client system (because, I believe, passwords are sent en clair in NIS).

However, I'll have to look at the code and learn something more of NIS first.

But, if root wants to change passwords on a system running NIS, then it can be done directly (ie. w/o going through the NIS server). pam_unix(8) says that adding a passwd_db=files like this in /etc/pam.d/system should work:

password        required        pam_unix.so             no_warn try_first_pass passwd_db=files

kc9udx

rvp I don't know who came up with "yellow pee". I've never heard that, and it wouldn't make sense like "yellow pages" does, which is the only explanation I've ever heard. In the olden days here, if you wanted to look up a phone number or address, you'd look in the Yellow Pages. (White Pages for residential, but there were iconic TV ads for the Yellow Pages, so that's why it's significant.)

Well anyway, the PAM system change did the trick. I never took the time to understand PAM, so I would've never found that without your help. Thank you!

Also; what NIS sends for passwords looks exactly like master.passwd
In the past, the passwords would be decoded and sent as plaintext, that was a cheap way to find out everyone's password.

Now, I'm guessing PAM is behind the fact that I cannot telnet to this server from a NetBSD machine, since upgrading to 10.0.

rvp

kc9udx I don't know who came up with "yellow pee".

OpenBSD joke, methinks.

kc9udx In the past, the passwords would be decoded and sent as plaintext,

Oh I doubt that: passwords were always the result of a one-way hash function; there being no way to get back the plaintext except by brute-forcing or hash-matching against a pre-built dictionary. But, typed-in old passwords are still sent in the clear, I see, from reading the source. I think I can see why: unless the implementations are the same, the machines could be using different hashing schemes: DES on an old server and MD5 on the client, say.

BTW, can you see this on the wire now? Might need an old-fashioned hub instead of a switch...

kc9udx Now, I'm guessing PAM is behind the fact that I cannot telnet to this server from a NetBSD machine, since upgrading to 10.0.

Could be. What's the error when run with -D ...

EDIT: telnet from a 9.4_STABLE client (in QEMU) to a -HEAD server worked w/o any config. Just uncommented the server lines in /etc/inetd.conf

kc9udx

rvp I haven't got to the bottom of it at all. I can telnet from there (or any other machine, NetBSD, Amiga, windows, Linux) to the other machines I have running NetBSD 10.0. And any machine not running NetBSD (ie not using SRA) to that one, but not from any machine running NetBSD.

BTW I forgot to write: -D doesn't give any indication of a problem. The client sees
Password:valid password

[ SRA accepts you ]

NetBSD/amd64 (hostname.domainname) (pts/1)

Connection closed by foreign host.
$

rvp

kc9udx Can't say w/o seeing a lot more logs or a full ktrace -di output of telnetd, but, it looks like login hasn't run for some reason (by the time the banner is printed this should've happened, actually, but, can't see any msgs. from login--unless you've got a ~/.hushlogin present).

Try this out:

root$ mv /usr/bin/login /usr/bin/login.orig

root$ cat <<\EoF
#!/bin/sh
echo "$@"
env
cat
EoF

root$ chmod 755 /usr/bin/login

Then, try telnet from where it's not working. The cat should echo back whatever you type in.

You may be able to work-around this by passing -a none or -a off to telnetd

kc9udx

rvp
1 there is no .hushlogin
2 replacing /usr/bin/login with that script did nothing different.
3 telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a off has been in /etc/inetd.conf as long as I've been running NetBSD. I don't exactly recall why without digging through my notes. But I'm pretty sure it's because a certain client cannot login otherwise; I would guess MiamiDx.
4 oddly, when I try -a valid today, I get telnetd: unknown authorization level for -a on the client (NetBSD 10.0)

Also: This is starting to look NIS related again. In the past, I thought that if I telnet localhost from the server in question, I would have the same results as trying to telnet there from another NetBSD machine. But today, it works. It doesn't work right, but it works:

# telnet localhost
Trying 127.0.0.1...
Connected to localhost.domainname.
Escape character is '^]'.
Trying SRA secure login:
User (root): myself
Password:
[ SRA accepts you ]

NetBSD/amd64 (hostname.domainname) (pts/1)

login: myself
Password for myself@hostname.domainname:
Last login: Sat Mar 30 12:03:56 2024 from 192.168.0.255 on pts/0
NetBSD 10.0 (GENERIC) #0: Thu Mar 28 08:33:33 UTC 2024

Welcome to NetBSD!

$

rvp

kc9udx It doesn't work right, but it works:

That's a bug. See PR# 58787

kc9udx It isn't any NetBSD client that can't login to that server, it's only certain ones. Those certain ones are all on one branch of my LAN, which makes me very suspicious.

A /etc/login.access lying around would do that, except:

NetBSD, by default, doesn't come with a /etc/login.access
Even if you had one in place, it would not have been read with -a valid because of PR# 58790.
And, even when you start telnetd with -a off (so that it is login which does auth./access ctl.), login does read that file, but, that wouldn't matter when we've replaced login with the script, above (nothing in that shell script reads that file!).

So, I dunno what's happening here.

Can you try the patch in PR# 58787 with this sra.c, then run both the server and failing client under script with the debugging options turned on?

You don't need to compile the whole system just libtelnet and telnetd will do. Assuming tools are in /usr/tools:

root# mkdir /tmp/obj

root# cd /usr/src/lib/libtelnet
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1 obj
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1

root# cd /usr/src/libexec/telnetd
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1 obj
root# make TOOLDIR=/usr/tools MAKEOBJDIRPREFIX=/tmp/obj MAKEVERBOSE=1

root# mv /usr/libexec/telnetd /usr/libexec/telnetd.orig
root# install -m 555 /tmp/obj/usr/src/libexec/telnetd/telnetd /usr/libexec/telnetd

Run the server as:

script -c '/usr/libexec/telnetd -a <off|valid> -debug -edebug -D options -D report -D netdata -D ptydata' /tmp/server.txt

Run the client as:

script -c 'telnet <server>' /tmp/client.txt

Email me both /tmp/*.txt files. (Remember to change your password, or to use a temp. user because the debug output'll have that.)

EDIT: Are you passing the -U flag to telnetd? (might cause problems for clients with no valid hostnames)

kc9udx

Well this is more bizarre than I thought and getting embarrassing. It isn't any NetBSD client that can't login to that server, it's only certain ones. Those certain ones are all on one branch of my LAN, which makes me very suspicious.

kc9udx

Hopefully in a couple weeks I'll get time to play with this. ~~In the meanwhile, I'll check to see if for some reason I have /etc/login.access . I sure don't think I should, but I'll check.~~ The first thing I need to do is try a different network branch. Right now I'm going through a dd-wrt based wireless access point. Something is very fishy there.

No, I don't run telnetd with -U

I don't have /etc/login.access. But I must have a serious network configuration error somewhere. I'm not exactly sure how this is affecting telnet this way unless somewhere a port is blocked. Unfortunately I won't have time to figure that out or do anything else with this probably till the end of the month.

kc9udx

I did find out I was wrong about the networking. Where the devices in question were on the network didn't really matter. The problems were just being intermittent in a way to make it appear like a network problem.

In the meanwhile, before I had a chance to diagnose further, I ended up upgrading all machines to NetBSD-daily 202411301030. This solved all problems in question in every direction.

telnetd has obviously changed. Most notably it now doesn't prompt for a username if a username is known.

rvp

kc9udx telnetd has obviously changed. Most notably it now doesn't prompt for a username if a username is known.

Yeah, PR# 58787 has been fixed (and pulled up to 10-STABLE); PR# 58790 should go in too. Have you managed to test with that sra.c file?

kc9udx

rvp no; I stupidly forgot that termbin would expire it so I relied on it being there and it wasn't when I tried to get it.