Changing long passwords causes spurious error

Same here in Ubuntu Karmic 9.10 32 bit.
If I change a user passwor with passw there are 2 cases:
1) completely different password --> no problem, password is updated correctly
2) long password and new password is equal to old password except for 1 or 2 last characters --> password isn't updated --> passwd report: Bad: new password must be different than the old one

Maybe the password wasn't updated correctly when old password was long more than 8 characters and different characters respect to new password are in positions major of 8.

This bug was fixed in the package pam - 1.1.1-1ubuntu1

---------------
pam (1.1.1-1ubuntu1) lucid; urgency=low

  * Merge from Debian, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
      run-parts does the right thing in /etc/update-motd.d.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent showing
      it again.
    - debian/local/common-{auth,account,password}.md5sums: include the
      Ubuntu-specific intrepid,jaunty md5sums for use during the
      common-session-noninteractive upgrade.

pam (1.1.1-1) unstable; urgency=low

  * New upstream version.
    - restore proper netgroup handling in pam_access.
      Closes: #567385, LP: #513955.
  * Drop patches pam.d-manpage-section, namespace_with_awk_not_gawk, and
    pam_securetty_tty_check_before_user_check, which are included upstream.
  * debian/patches/026_pam_unix_passwd_unknown_user: don't return
    PAM_USER_UNKNOWN on password change of a user that has no shadow entry,
    upstream now implements auto-creating the shadow entry in this case.
  * Updated debconf translations:
    - French, thanks to Jean-Baka Domelevo Entfellner <email address hidden>
      (closes: #547039)
    - Bulgarian, thanks to Damyan Ivanov <email address hidden> (closes: #562835)
  * debian/patches/sys-types-include.patch: fix pam_modutil.h so that it can
    be included directly, without having to include sys/types.h first.
    Closes: #556203.
  * Add postgresql-8.3 to the list of services in need of restart on upgrade.
    Closes: #563674.
  * And drop postgresql-{7.4,8.1} from the list, neither of which is present
    in stable.
  * debian/patches/007_modules_pam_unix: recognize that *all* of the password
    hashes other than traditional crypt handle passwords >8 chars in length.
    LP: #356766.
 -- Steve Langasek <email address hidden> Mon, 01 Feb 2010 09:55:02 -0800

I'm not sure this got fixed. I'm running current lucid

ii libpam-modules 1.1.1-2ubuntu1 Pluggable Authentication Modules for PAM
ii libpam-runtime 1.1.1-2ubuntu1 Runtime support for the PAM library
ii libpam0g 1.1.1-2ubuntu1 Pluggable Authentication Modules library

and am still seeing the problem. Let me know if I can help debug in any way.

The code you cited in bug #549915 is no longer present. If you're still seeing problems, perhaps you could help track down the problem in the current code?

I confirm that this bug still exist currently, on lucid

I have this same problem in Lucid and I don't find this bug to be spurious, it always happens if you try to change only the last characters of your password.

By the way, let me add that when you try to change your password through the Ubuntu user interface (System -> Preferences -> About me -> Change password) it will never end the task (I think that the error message should be displayed or at least end in some way).

I can also confirm this on 10.10, with pam-1.1.1:

$ passwd
Changing password for jesstess.
(current) UNIX password: <12345678aa>
Enter new UNIX password: <12345678bb>
Retype new UNIX password: <12345678bb>
Bad: new password must be different than the old one

You'll get this error if the first 8 characters of the old and new passwords are the same. As mentioned in bug #549915, the diff in debian/patches-applied/007_modules_pam_unix adds a pam_unix/obscure.c, including:

+ if ((msg = password_check(old, new, pwdp)) != NULL)
+ return msg;
+
+ /* The traditional crypt() truncates passwords to 8 chars. It is
+ possible to circumvent the above checks by choosing an easy
+ 8-char password and adding some random characters to it...
+ Example: "password$%^&*123". So check it again, this time
+ truncated to the maximum length. Idea from npasswd. --marekm */
+
+ if (on(UNIX_HASH_MASK,ctrl))
+ return NULL; /* unlimited password length */
+
+ if (oldlen <= 8 && newlen <= 8)
+ return NULL;
+
+ new1 = strndup(new,8);
+ old1 = strndup(old,8);
+
+ msg = password_check(old1, new1, pwdp);

So it re-runs password_check on the first 8 characters of your old and new passwords, including a check on if they're the same.

I don't know if people would prefer that UNIX_OBSCURE_CHECKS weren't set by default in Ubuntu, or if the message returned after the second password_check indicated that it only applied to the first 8 characters, or some other option.

Update: It looks like this fix somehow got left out of version 1.1.1-1 so it got left out of Maverick. It made it into 1.1.2 and works correctly in Natty.

It is now May 2011 and this bug is still present in Ubuntu 10.04.2.

It isn't going to be fixed in older releases. Upgrade to 11.04.

I've got 1.1.2-2 and was just bitten by this as well. (Running 11.04)