Patch Name: PHCO_26904 Patch Description: s700_800 11.04 (VVOS) libpam, libpam_unix cumulative patch Creation Date: 02/04/18 Post Date: 02/04/22 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: N/A Filesets: OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No (superseded patches were critical) PHCO_25058: ABORT CORRUPTION Based on HP-UX Patch PHCO_24838: CORRUPTION Based on HP-UX Patch PHCO_24390: ABORT Based on HP-UX Patch PHCO_23218: ABORT PHCO_23201: MEMORY_LEAK CORRUPTION Based on HP-UX Patch PHCO_21833: CORRUPTION Based on HP-UX Patch PHCO_20334: MEMORY_LEAK Category Tags: defect_repair enhancement general_release critical halts_system corruption memory_leak Path Name: /hp-ux_patches/s700_800/11.X/PHCO_26904 Symptoms: PHCO_26904: Repackaged HP-UX patch PHCO_25527 to VVOS Note that NIS+ is not supported on VVOS. Based on HP-UX patch PHCO_25527: (SR: 8606220006 CR: JAGad89147) LDAP authentication is sometimes incorrect. (SR: 8606219011 CR: JAGad88159) chkey(1) can fail on a NIS+ trusted system. PHCO_25058: Repackaged HP-UX patch PHCO_24838 for VVOS. Note that NIS+ is not supported on VVOS. Based on HP-UX patch PHCO_24838: (SR: 8606206632 CR: JAGad75805) On a system running NIS+ in trusted mode, an unsuccessful password change for a NIS+ user with a NON-fully qualified domain name (i.e. without the trailing dot) could corrupt the NIS+ namespace. (SR: 8606196292 CR: JAGad65495) On a trusted system, an application using the PAM library may be unable to interact with a user to change their password. This typically won't be an issue, however, an application provider or another patch may direct you to install this patch. (SR: 8606211302 CR: JAGad80490) On a trusted system, the root user may fail to log in on the console if his/her account is expired. Based on HP-UX patch PHCO_24390: (SR: 8606184948 CR: JAGad54150) Changing password on a trusted system could affect password aging parameters. (SR: 8606203499 CR: JAGad72672) (SR: 8606201051 CR: JAGad70227) Passwd command could cause libpam_unix to dump core. (SR: 8606193672 CR: JAGad62884) libpam_unix doesn't print NIS error message as yppasswd used to. (SR: 8606202873 CR: JAGad72047) No symptoms. Additional password restrictions checking is a new feature. Based on HP-UX patch PHCO_23218: (SR: 8606178376 CR: JAGad47603) Changing a password could cause libpam_unix.1 to dump core. This occurs infrequently. It could occur on any of the following repositories: NIS, NIS+, or FILES (local system). (SR: 8606174688 CR: JAGad43935) Commands which modify the passwd file do not properly update a corrupted file. PHCO_23201: Ported HP-UX patch PHCO_22265 to VVOS Based on HP-UX patch PHCO_22265: (SR: 8606156849 CR: JAGad26183) The appdata_ptr feature in the pam_conv argument of the pam_start(3) function does not always work as documented. This typically won't be an issue, however, an application provider may direct you to install this patch. (SR: 8606161795 CR: JAGad31111) If a user's login is aborted while logging into a system which is in Trusted Mode and is also an NIS+ client, then the user's password could become expired for all systems in the NIS+ namespace. (SR: 8606105027 CR: JAGab72843) audisp(1m) displays successful logins as unsuccessful. This applies only to Trusted Systems. (SR: 8606160402 CR: JAGad29724) On systems converted to Trusted Mode, libpam_unix.1 will return PAM_AUTHTOK_EXPIRED when it detects an expired password. The PAM standard expects PAM_NEW_AUTHTOK_REQD to be returned. This can cause an application to believe that an account has expired, when just the password has expired. Based on HP-UX patch PHCO_21833: (SR: 8606135483 CR: JAGad04617) The PAM libraries are intentionally designed to not allow login names longer than 8 characters. Some users want a way to bypass this restriction, even though doing so causes PAM to bypass some security checks and may cause some commands to function incorrectly. (SR: 8606141855 CR: JAGad11209) Setting a one-character encrypted password on a user account will corrupt that user's password history database entry, so passwd(1) will no longer detect when that user attempts to reuse a password. A one-character encrypted password will always be initially present on accounts created with useradd(1m), and could also be present on accounts which have been manually edited. Note that this problem applies only to systems running in Trusted Mode, and only to those systems in which the password history feature has been enabled. Refer to the PHCO_13808 documentation below for a description of the password history feature. Based on HP-UX patch PHCO_20334: (SR: 8606112845 CR: JAGab92700) PAM fails to consider the second module when 2 "sufficient" flags are in pam.conf. (SR: 8606106633 CR: JAGab75907) PAM_UNIX does not allow passwords to be changed when NSS_LDAP is configured. (SR: 8606114183 CR: JAGac23161) Memory leak problem in PAM_UNIX which may cause excessive memory usage. (SR: 8606114226 CR: JAGac23204) User may not see the correct prompt for password because PAM internal convert function is not passed correctly. (SR: 1653307520 CR: JAGab24842) Users cannot select minimum password length. (SR: 8606136429 CR: JAGab21045) PAM uses the backup prompt instead of the prompt. (SR: 8606103474 CR: JAGab70250) login is unable to change an expired password if the PAM module is configured as "sufficient". Based on HP-UX patch PHCO_20104: severe delays in login times on trusted systems with huge /etc/passwd (SR: 8606100934 CR: JAGab39910) NIS doesn't allow login if password field is just ",.." (SR: 5003436261 CR: JAGaa57141) (SR: 8606110341 CR: JAGab83045) The command 'passwd -r nis -e /usr/bin/ksh ' loops forever. PHCO_18875: Repackage HP-UX patch PHCO_15448 for VVOS Based on HP-UX patch PHCO_15448: passwd command prompt problem when working with user's own designed NLS catalog PHCO_18908: Repackage HP-UX patch PHCO_15231 for VVOS Based on HP-UX patch PHCO_15231: login fails on trusted replica running NIS+ when master is down Based on HP-UX patch PHCO_13808: No Symptoms. Password history checking is a new feature. Defect Description: PHCO_26904: Repackaged HP-UX patch PHCO_25527 to VVOS Based on HP-UX patch PHCO_25527: (SR: 8606220006 CR: JAGad89147) In some circumstances an LDAP user could be improperly authenticated. Resolution: LDAP authentication has been enhanced. (SR: 8606219011 CR: JAGad88159) chkey(1) does not function as documented. Resolution: chkey(1) now functions properly. PHCO_25058: Repackaged HP-UX patch PHCO_24838 for VVOS Note that NIS+ is not supported on VVOS. Based on HP-UX patch PHCO_24838: (SR: 8606206632 CR: JAGad75805) libpam_unix.1 is unable to handle NON-fully qualified domain names. Resolution: libpam_unix.1 now adds the trailing dot to NON-fully qualified domain names. (SR: 8606196292 CR: JAGad65495) libpam_unix.1 sometimes keeps /dev/tty open when calling an application-provided function. This might prevent the application from interacting with the user. Resolution: libpam_unix.1 no longer opens /dev/tty. (SR: 8606211302 CR: JAGad80490) libpam_unix.1 fails to allow root to log in on the console if his/her account is expired. Resolution: libpam_unix.1 now allows the root user to log in on the console even if his/her account is expired. Based on HP-UX patch PHCO_24390: (SR: 8606184948 CR: JAGad54150) Changing a password on a trusted system could also modify a user's password aging parameters. Resolution: Changing a password no longer changes password aging parameters. (SR: 8606203499 CR: JAGad72672) (SR: 8606201051 CR: JAGad70227) Passwd command could cause libpam_unix to dump core. Resolution: The cause for the core dump is now resolved. (SR: 8606193672 CR: JAGad62884) libpam_unix doesn't print NIS error message as yppasswd used to. Resolution: libpam_unix now correctly prints NIS error message. (SR: 8606202873 CR: JAGad72047) A site's security policies sometimes require new passwords to contain specific numbers or types of characters, such as at least two digits and at least one special character. Resolution: In addition to the standard password requirements, optional entries in the file /etc/default/security specify the minimum number of required characters of each type (upper case characters, lower case characters, digits and special characters) in a new password. PASSWORD_MIN_UPPER_CASE_CHARS=N PASSWORD_MIN_LOWER_CASE_CHARS=N PASSWORD_MIN_DIGIT_CHARS=N PASSWORD_MIN_SPECIAL_CHARS=N The default value for N is 0. These parameters have effect only when a password is changed. On untrusted systems, these parameters do not apply to the root user. The file /etc/default/security should be owned by root and have 0644 permissions. As an example, to require passwords at least 8 characters long, composed of at least 5 upper case characters, 2 lower case characters and a digit, include the following lines in /etc/default/security, as specified above: PASSWORD_MIN_UPPER_CASE_CHARS=5 PASSWORD_MIN_LOWER_CASE_CHARS=2 PASSWORD_MIN_DIGIT_CHARS=1 Based on HP-UX patch PHCO_23218: (SR: 8606178376 CR: JAGad47603) Changing a password could cause libpam_unix.1 to dump core, due to improperly freed memory. Resolution: libpam_unix.1 now properly frees memory. (SR: 8606174688 CR: JAGad43935) Commands do not properly update a corrupted passwd file. Resolution: Improved the error recovery of commands which update the passwd file. PHCO_23201: Ported HP-UX patch PHCO_22265 to VVOS Based on HP-UX patch PHCO_22265: (SR: 8606156849 CR: JAGad26183) The appdata_ptr feature works for the pam_authenticate(3) case, but not for other pam functions. For those other functions the appdata_ptr received by the conversation function is always null; it should be equal to the appdata_ptr field of the pam_start(3) pam_conv argument. See the pam_conv argument description in pam_start(3). Resolution: Now every time libpam_unix.1 calls the application's conversation function, it provides (as an argument) the appdata_ptr which was passed in to pam_start(3). (SR: 8606161795 CR: JAGad31111) If a user's login into a Trusted Mode NIS+ client is aborted, it could expire the user's password for all systems in the NIS+ namespace. This is because libpam_unix.1 updates last login information on the NIS+ server, but not on the local system. Resolution: libpam_unix.1 now updates information for unsuccessful logins on the local system. (SR: 8606105027 CR: JAGab72843) libpam_unix.1 improperly audits successful logins, so audisp(1m) displays successful logins as unsuccessful. Resolution: libpam_unix.1 now audits successful logins as successful. (SR: 8606160402 CR: JAGad29724) HP-UX is inconsistent with the PAM standard with respect to the return value for an expired password. libpam_unix.1 returns PAM_AUTHTOK_EXPIRED when it detects an expired password; the PAM standard expects PAM_NEW_AUTHTOK_REQD to be returned. This inconsistency causes a problem for programs written to run on multiple platforms. Resolution: When an expired password is detected, libpam_unix.1 now returns standard PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_EXPIRED. Based on HP-UX patch PHCO_21833: (SR: 8606135483 CR: JAGad04617) The PAM libraries intentionally reject login names which are longer than 8 characters. This behaviour is changed from 10.20. Some customers want a way to bypass this restriction. Resolution: libpam_unix.1 now checks for the existence of a file in the "/etc/default" directory called: "I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS". If this file exists, then login names longer than 8 characters can be added to /etc/passwd, and then those users can login. Note the following restrictions: 1) HP has never claimed that HP-UX supports user names longer than 8 characters, and does not recommend that customers bypass the existing length checks. Doing so may cause functional and/or security problems. 2) This patch does not remove the existing user name length checks from other commands - e.g. pwck(1m), sam(1m), useradd(1m). 3) Do not enable long usernames on trusted system configurations. (SR: 8606141855 CR: JAGad11209) The Trusted System password history database becomes corrupted if a one-character encrypted password was ever present on an account. Resolution: Modified libpam_unix.1 to ignore one-character encrypted passwords. This prevents additional corruption of the password history database, but does not repair an already corrupted database. To repair a corrupted password history database it is necessary to remove each file in /tcb/files/auth/system/pwhist which has a corrupted user entry, or to remove all files in that directory. This destroys the password history maintained in those files. It does not affect the current passwords. Based on HP-UX patch PHCO_20334: (SR: 8606112845 CR: JAGab92700) PAM account management does not handle 2 sufficient flags in pam.conf. PAM was returning to application before checking the second module. Resolution: When 2 modules are present do not return PAM_SUCCESS after processing one module; rather, also check the password expiration for second module. (SR: 8606106633 CR: JAGab75907) When NSS_LDAP is configured, PAM_UNIX does not allow passwords to be changed; thus the following pam.conf configuration does not work: "passwd: files ldap". The problem is that PAM_UNIX does not know about LDAP. Resolution: Modified libpam_unix.1 to handle LDAP configurations. (SR: 8606114183 CR: JAGac23161) Memory leak in libpam; the memory allocated for message was not freed. Resolution: Free the memory after use. (SR: 8606114226 CR: JAGac23204) Convert function is not passed correctly. In place of convert function NULL was passed. Resolution: Get the convert function from PAM handle and pass it to the output function. (SR: 1653307520 CR: JAGab24842) Password minimum length is hard-wired to be 6 characters in libpam_unix.1. Resolution: libpam_unix.1 now sets the minimum password length to the user-defined value of the MIN_PASSWORD_LENGTH=N parameter in the /etc/default/security file. For untrusted systems "N" can be any value between 6 and 8; for trusted systems "N" can be any value between 6 and 80. The default value is 6. This parameter has effect only when a password is changed. On untrusted systems, this parameter does not apply to the root user. As an example, create a file called /etc/default/security, if it does not already exist, and make it world readable and root write-able. Add the following line to the file: MIN_PASSWORD_LENGTH=8 (SR: 8606136429 CR: JAGab21045) PAM overwrites the prompt with the backup prompt for PAM modules which have been configured as "sufficient". It does this because it initializes the backup prompt every time, no matter whether or not a prompt is configured. Resolution: The backup prompt is now initialized only when the prompt is not set. (SR: 8606103474 CR: JAGab70250) If a pam module is configured in pam.conf as "sufficient", then when a user tries to change an expired password, libpam_unix.1 just returns "success" without changing the password. The reason for this is that libpam_unix.1 was checking an incorrect place for the presence of a flag, so it was returning without doing anything. Resolution: Modified libpam_unix.1 to check in the correct place for the presence of the flag which tells it to change the password. Based on HP-UX patch PHCO_20104: severe delays in login times on trusted systems with huge /etc/passwd; this is due to pwgrd daemon spending much time rebuilding tables; changing a password updates /etc/passwd and so it is one cause of initiating pwgrd to rebuild; the fix was to not update /etc/passwd when a password is changed on a trusted system, because the password is kept in the protected password database (SR: 8606100934 CR: JAGab39910) If the passwd field is set to ",.." for an account on a NIS master, the 11.0 NIS client user is prompted for a password and cannot login. Resolution: Added a specific check to see if the first char is a ',' in the encrypted password, this means no encrypted password, just an aging value. (SR: 5003436261 CR: JAGaa57141) (SR: 8606110341 CR: JAGab83045) When invoked with the '-r nis' option to use the NIS repository, the passwd(1) command may hang due to the assignment of an illegal pointer. While copying the shell information, it was assigned to a local pointer instead of copying the pointer contents. Thus, the command was hanging when freeing the pointer. Resolution: The fix was implemented by replacing the pointer assignment with strcpy(). PHCO_18875: Repackage HP-UX patch PHCO_15448 for VVOS Based on HP-UX patch PHCO_15448: DSDe443124 - passwd command prompt problem when working with user's own designed NLS catalog PHCO_18908: Repackage HP-UX patch PHCO_15231 for VVOS Based on HP-UX patch PHCO_15231: login fails on trusted systems running NIS+ when master is down Based on HP-UX patch PHCO_13808: No Defect. Password history checking is a new feature supported only for local users on trusted systems. As an example of how to configure this feature, create a file called /etc/default/security, if it does not already exist, and make it world readable and root write-able. Add the following line to the file: PASSWORD_HISTORY_DEPTH=10 This saves the most recent 10 passwords for each user. Users are not allowed to re-use a saved password. The passwd(1) manpage available in patch PHCO_13809 provides more information about the password history feature. SR: 8606112845 8606114226 8606114183 5003244459 5003416552 8606105404 1653307520 8606136429 8606103474 8606106633 5003436261 8606110341 8606135483 8606141855 8606156849 8606161795 8606105027 8606160402 8606178376 8606174688 8606100934 8606184948 8606203499 8606201051 8606193672 8606202873 8606206632 8606196292 8606211302 8606220006 8606219011 Patch Files: OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/security/libpam_unix.1 /usr/lib/libpam.1 /usr/lib/nls/msg/C/pam_unix.cat what(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/security/libpam_unix.1: $ PHCO_25527 Oct 12 2001 15:26:03 $ OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/libpam.1: $ PHCO_25527 Oct 3 2000 12:59:12 $ OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/nls/msg/C/pam_unix.cat: None cksum(1) Output: OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: 2306880202 184320 /usr/lib/security/libpam_unix.1 OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: 718612613 36864 /usr/lib/libpam.1 OS-Core.CORE-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP: 1019960297 5799 /usr/lib/nls/msg/C/pam_unix.cat Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_18908 PHCO_18875 PHCO_23201 PHCO_25058 Equivalent Patches: PHCO_25527: s700: 11.00 s800: 11.00 Patch Package Size: 270 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_26904 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_26904.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_26904. If you do not wish to retain a copy of the original software, use the patch_save_files option: swinstall -x autoreboot=true -x patch_match_target=true \ -x patch_save_files=false -s /tmp/PHCO_26904.depot WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_26904.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_26904.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_26904.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Terminate dtlogin(1) before installing this patch, and restart it again after the installation has completed. Note that this will terminate all active CDE sessions. If this is not done, the installation could intermittently fail if the /usr/lib/libpam.1 library is in use by the dtlogin(1) program at the time this patch is installed. For example: # /usr/sbin/fuser /usr/lib/libpam.1 /usr/lib/libpam.1: 8541m # ps -p8541 PID TTY TIME COMMAND 8541 pts/0 0:00 dtlogin # /sbin/init.d/dtlogin.rc stop # /sbin/init.d/dtlogin.rc start