#992430 schroot: user password does not match

Package:
schroot
Source:
schroot
Description:
Execute commands in a chroot environment
Submitter:
Sergey Vlasov
Date:
2022-05-28 16:27:03 UTC
Severity:
important
#992430#5
Date:
2021-08-18 13:50:57 UTC
From:
To:
Dear Maintainer,

When doing schroot into a buster chroot environment, sudo
commands fail due to password not matching the current user password.
There is no such problem for bullseye chroot environment.

To reproduce:

0. make sure your current user belongs to sudo group

1. create buster chroot environment:

$ sudo debootstrap buster /schroot-bug/buster

2. create schroot configuration file:

$ cat << EOF | sudo tee /etc/schroot/chroot.d/buster
[buster]
type=directory
directory=/schroot-bug/buster
users=$USER
profile=desktop
personality=linux
preserve-environment=false
EOF

3. enter chroot:

$ schroot -c buster

4. test sudo with your current password:

$ sudo true
[sudo] password for <your user name>:
Sorry, try again.
[sudo] password for <your user name>:
Sorry, try again.
[sudo] password for <your user name>:
sudo: 3 incorrect password attempts

5. repeat steps 1-4 but replace `buster` with `bullseye`.
`sudo true` command accepts the current user password.
#992430#10
Date:
2021-08-18 13:58:47 UTC
From:
To:
Hi,

I'm not personally familiar with the changes in the latest Debian release, but please check that all the password, shadow password files etc. are all copied into the chroot and are self-consistent with one another.  Are the host files using a hash type not supported by the chroot environment?

Regards,
Roger

On 18/08/2021, 14:54, "Sergey Vlasov" <sergey@vlasov.me> wrote:

    Package: schroot
    Version: 1.6.10-12
    Severity: important
    X-Debbugs-Cc: sergey@vlasov.me

    Dear Maintainer,

    When doing schroot into a buster chroot environment, sudo
    commands fail due to password not matching the current user password.
    There is no such problem for bullseye chroot environment.
#992430#15
Date:
2021-08-18 14:56:20 UTC
From:
To:
Hi Roger,

I compared `/etc/shadow` and `/etc/passwd` across my host and from inside
the testable chroot environments, no difference, I also checked
`/etc/pam.d/common-password` and it looks that bullseye uses `yescrypt` for
hashing while buster uses `sha512`.

It also says in `/etc/pam.d/common-password`:
releases replace "yescrypt" with "sha512" for compatibility.

My buster chroot already has "sha512" set. I tried to set "yescrypt" there
but sudo still complains about the wrong password.

Regards,
Sergey
#992430#20
Date:
2022-05-28 16:16:02 UTC
From:
To:
Sergey Vlasov wrote...

Unless I misunderstood, also install sudo in the chroot.
(...)

The following changes made the check pass:

1. On the *host*, change "yescrypt" to "sha512" in
   /etc/pam.d/common-password
2. Change the password of that user (feel free to re-use the old one,
   but we need the right hash).
3. Reboot (possibly not needed if you do the right things).

Can you confirm? Then this is stuff for README.Debian but otherwise
little schroot can do.

Regards,

    Christoph