Bug 437179
Summary: | pam_krb5.so doesn't seem to set the password correctly for other PAM modules | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | John Caruso <jcaruso> |
Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 4.6 | CC: | k.georgiou, mkoci, sputhenp, tao |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.1.17-7.el4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-05-18 20:20:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 391511 |
Description
John Caruso
2008-03-12 19:01:44 UTC
Test case can be simplified as below. There is no need to have users defined in kerberos to reproduce this issue. So this can be reproduced using the belows simple steps. - Configure /etc/pam.d/system-auth as below #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_krb5.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet #account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so - Add a new user and set him a password. (useradd test; passwd test). - ssh to the machine as test. On the first prompt enter a wrong "password". On the second and third prompt enter the "right" password. The second and third prompt wouldn't authenticate the user even after entering the right password. - If I specify pam_ldap.so or any other pam modules before pam_unix.so this does not happen. So this is a bug with pam_krb5.so. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0987.html |