Bug 178916

Summary: Line feeds when password needs changing with rlogin
Product: Red Hat Enterprise Linux 3 Reporter: Bastien Nocera <bnocera>
Component: rshAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0231 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-29 20:56:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 178252, 187539    

Description Bastien Nocera 2006-01-25 13:42:42 UTC
1. Create a new user, and set the new user's password
2. Run chage to force the user's password to be updated (Maximum Password Age to
"1", and Last Password Change to 2 days before today)
3. Install rsh-server

4. chkconfig add rlogin
5. Try to rlogin to this machine as that user

$ rlogin -l testuser amd64
connect to address 172.16.10.230: Connection refused
Trying krb4 rlogin...
connect to address 172.16.10.230: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Password:
You are required to change your password immediately (password aged)
                                                                   Changing
password for testuser
                (current) UNIX password:

If the password isn't entered properly on the first prompt, then login seems to
take over, and the line feeds look fine.

$ rlogin -l testuser amd64
connect to address 172.16.10.230: Connection refused
Trying krb4 rlogin...
connect to address 172.16.10.230: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Password:
Password:
Login incorrect

login: testuser
Password:
You are required to change your password immediately (password aged)
Changing password for testuser
(current) UNIX password: rlogin: connection closed.

Logging in using ssh works fine as well:
$ ssh testuser@amd64
testuser@amd64's password:
You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testuser.
Changing password for testuser
(current) UNIX password:

The problem happens on any combination of RHEL3 and RHEL4 servers and clients
(RHEL3 server/RHEL4 client, RHEL4 server/RHEL4 client, etc.)

Comment 1 Karel Zak 2006-01-25 21:08:49 UTC
You're probably right. There's private PAM_conversation() implementation in the
rlogind and it's without "\n".



Comment 6 Red Hat Bugzilla 2006-03-29 20:56:12 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0231.html


Comment 11 Jason Willeford 2006-04-17 14:46:22 UTC
These are the comments from the customer which are in the Issue Tracker ticket.

<snip>
The results for the rlogin from AIX to Linux were a little strange. I'm
attaching a file that shows the output to the screen (still not getting line
feeds from the PAM module passwdqc). The strange behavior was that once I
changed my password, I was prompted again to change it before completing the
login. Before reacting to the prompt, I verified that the password was changed
(see top of attached rlogin.txt file). I then entered the newly changed password
at each prompt for password and the login completed.

<another comment from IT>
We initially tested the updated packages in our Lab, where they appeared to
resolve our problem. Our lab does not have an AIX system, so we moved into our
operational environment to do further testing. My "rlogin.txt" attachment from
3/10 shows what happened when we logged into a Linux system with the updated
rsh* packages from an AIX workstation. We discovered yesterday that the we see
the same result when logging into a Linux system from a Linux workstation.

The primary difference between our lab systems and the operational systems is
that the operational systems use the pam module pam_passwdqc instead of
pam_cracklib (in /etc/pam.d/system-auth).

In summary, the updated packages fix the line-feed problems with the initial
prompts to change the password. Once the pam_passwdqc module is involved, the
output seems to skew again. In addition, once the password is successfully
changed, the user is prompted to reenter the password.

If you access the system via telnet the prompts for password change and the
output of pam_passwdqc line feed normally. The user is also not prompted to
reenter the password once it has been successfully changed.


Comment 13 Karel Zak 2006-05-30 20:44:13 UTC
See bug #191390 which is open for this issue.