Bug 1032140

Summary: vlock doesn't perform PAM account management or credential reinitialization
Product: Red Hat Enterprise Linux 7 Reporter: Nalin Dahyabhai <nalin>
Component: kbdAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: iamdexpl, jscotka, nalin, pkis, rhack, todoleza, vcrhonek, wally
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=164950
Whiteboard:
Fixed In Version: kbd-1.15.5-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 913311 Environment:
Last Closed: 2014-06-13 10:55:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 913311    
Bug Blocks: 1029374    

Description Nalin Dahyabhai 2013-11-19 15:40:45 UTC 
+++ This bug was initially created as a clone of Bug #913311 +++

Description of problem:
The 'vlock' command no longer performs PAM account management (authorization checking) or credential reinitialization.

Version-Release number of selected component (if applicable):
kbd-1.15.5-3.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:
1. run 'vlock' or 'vlock -a'
  
Actual results:
After checking the user's password, 

Expected results:
After calling pam_authenticate(), vlock should be calling pam_acct_mgmt(), and if that fails, rejecting the unlock attempt.  If it succeeds, it should be calling pam_setcred() with the PAM_REINITIALIZE_CRED flag.

--- Additional comment from Fedora End Of Life on 2013-04-03 13:57:02 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

--- Additional comment from Vadim Raskhozhev on 2013-04-12 14:25:21 EDT ---

A possible workaround is to create a file /etc/pam.d/vlock with something like

#%PAM-1.0
auth       include      system-auth
account    required     pam_permit.so

(this is taken from vlock-1.3-33.fc18).

--- Additional comment from Nalin Dahyabhai on 2013-04-12 14:32:40 EDT ---

That'd take care of part of it (as in bug #913309), but without code changes it's not going to detect things like passwords having expired or (depending on how it's done) accounts being locked.

--- Additional comment from Walter Francis on 2013-07-02 10:01:29 EDT ---

vlock on F19 for me just goes nuts saying invalid password when ran until the workaround in comment 2 and now it works as expected for me, at least it the case of "Normal user, valid password, ran vlock, unlocked."  Don't know about the other use cases.

--- Additional comment from Vitezslav Crhonek on 2013-11-13 09:14:28 EST ---



--- Additional comment from Vitezslav Crhonek on 2013-11-13 09:18:00 EST ---

Nalin, I'm not familiar with PAM API, would the patch above suffice?

--- Additional comment from Nalin Dahyabhai on 2013-11-13 11:26:42 EST ---

The formatting for the error reporting looks a bit weird, but yes, it roughly matches what the old vlock did, and should work for our purposes.

One thing that the PAM docs (pam_acct_mgmt(3)) recommend is calling pam_chauthtok() if pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD and the application has the ability to walk the user through changing their password, but that's less urgent -- the old vlock didn't do that, either.
Comment 3 Ludek Smid 2014-06-13 10:55:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.