conf/157500: posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd

Nicolas de Bari Embriz Garcia Rojas nbari at
Wed Jun 1 15:40:09 UTC 2011

>Number:         157500
>Category:       conf
>Synopsis:       posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 01 15:40:09 UTC 2011
>Originator:     Nicolas de Bari Embriz Garcia Rojas
>Release:        8.1-STABLE
FreeBSD 8.1-STABLE FreeBSD 8.1-STABLE #1: Sun Nov 21 16:09:52 CET 2010     root at  amd64
I have a server using nss_ldap/pam_ldap (all users are stored on an ldap directory) but I notice that  few users where available to change their shell using the command chsh -s /bin/sh. 

In theory chsh like the passwd command should not operate on ldap and just work for local users.

in fact the passwd command output this:
passwd: Sorry, `passwd' can only change passwords for local or NIS users.

when creating an account via web ( - info stored on ldap not localy and in a remote server) and after login for the first time to the server via ssh, the user can execute the command chsh -s /bin/sh and chsh will add the user to the /etc/passwd and /etc/master.passwd (this should not happen) but seems like chsh is ignoring nsswitch.conf:

group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files

if the user change his password (not using the passwd command) using an alternate script like this  one:


stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo

if [ "$np1" != "$np2" ]; then
  echo "Passwords do not match."
  exit 1

ldappasswd -h -D uid="$USER",ou=people,dc=sign,dc=io\
  -w "$oldp" \
  -a "$oldp" \
  -s "$np1"

The user can still login the the shell but if he want to change his shell again, he has to use his previous password since a new record on /etc/passwd and /etc/master.passwd has been created.

also the this new record does not respect the login.conf, since the entry looks like this:


where in theory they should have a hash beginning with $2 (since blf) is specified on the login.conf

the current login.conf is like this:

  :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
create an account via ldap not locally (live example on 

login the the shell server that uses pam_ldap/nss_ldap (no local users on /etc/master.passwd)  and execute the chsh -s /bin/sh.

chsh will ask for a password the one will be stored or used for creating a new entry on /etc/passwd (later update will update /etc/mater.passwd) (this should not happened)

unknown, maybe temporally disabling chsh 


More information about the freebsd-bugs mailing list