User password is reset when added new user (FreeNAS 11.1-U5)

[dmueller]

We discovered the following problem in our FreeNAS installation (version 11.1-U5):

1. Added and removed some users and datasets
2. Added a new user (and dataset) userA with a default password, e.g. passwordA
3. UserA created a key file to use as alternative login method
4. UserA can login using password and/or key file
5. The userA changes his password using SSH and passwd command, e.g. to passwordAnew
6. UserA can login using his new password and/or key file
7. Added another user (and dataset)
8. The userA has his default password (here passwordA) instead of his new password (passwordAnew) again (only old password and/or key file works)

This is a huge security risk for us, and we couldn't find out where this issue comes from?

• Did the userA get the same id like a deleted user had before (and therefore something goes wrong in the background)
• Has this something to do with the key generation (which should not influence the password login)

Did someone else see an issue like this? Thank you!

 

[dlavigne]

The userA changes his password using SSH and passwd command, e.g. to passwordAnew

That is the issue as the saved password isn't updated in the configuration database. You need to change the password using the UI in order for it to "stick".