Bug 713967

Summary:	Smart card login with Kerberos credential: passwd command does not change the kerberos password.
Product:	Red Hat Enterprise Linux 5	Reporter:	Asha Akkiangady <aakkiang>
Component:	pam_krb5	Assignee:	Nalin Dahyabhai <nalin>
Status:	CLOSED ERRATA	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	5.7	CC:	ckannan, dpal, jgalipea, jmagne, nalin, prc
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pam_krb5-2.2.14-21.el5	Doc Type:	Bug Fix
Doc Text:	An attempt to set a new Kerberos password using the "passwd" command failed due to a bug which was triggered when the smart card authentication method was enabled and the card was plugged in. This problem has been fixed and users are now able to change the Kerberos password.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-07-21 07:48:31 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Asha Akkiangady 2011-06-16 22:44:44 UTC

Description of problem:
Smart card login with Kerberos credential: passwd command does not change the kerberos password.

Version-Release number of selected component (if applicable):
Rhel 5.7: authconfig-5.3.21-7.el5, pam_pkcs11-0.5.3-23

How reproducible:


Steps to Reproduce:
1. This user is not in the /etc/passwd file, authentication is
configured with userDatabase to LDAP server, kerberos support enabled and the KDC information is provided and smart card support enabled.
2. Login to desktop with an enrolled smart card.
3. Kerberos credential issued successfully.
4. Try to change the kerberos password using "passwd" command
$ passwd
Changing password for user testkdcuser.
Cannot change the password on your smart card.
Kerberos 5 Password: 
PIN for TestUserKDC: 
BAD PASSWORD: it is based on a dictionary word
passwd: Authentication information cannot be recovered

  
Actual results:
New password is not requested. Also, when a valid kerberos password is provided, smart card pin should not be requested.

Expected results:
The user should be able to change kerberos password. 

Additional info:

Comment 1 Nalin Dahyabhai 2011-06-16 22:57:02 UTC

So far it appears as though in the second phase of the password change, pam_cracklib, called with the "try_first_pass" argument, is noticing that there's already a PAM_AUTHTOK value set.  It checks it, rejects it, and then clears the PAM_AUTHTOK item.

At this point, though, the stack traversal sequence has apparently already been "frozen" by libpam, so subsequent modules (pam_unix, pam_krb5, pam_ldap) are still called with the "use_authtok" argument, so for the most part they just fail.

The only module called before pam_cracklib in the stack, however, is pam_pkcs11, which doesn't appear to be setting PAM_AUTHTOK, so I must be missing part of the story here.

Comment 2 Asha Akkiangady 2011-06-16 23:19:45 UTC

[root@dhcp231-57 ~]# cat /etc/pam.d/passwd 
#%PAM-1.0
auth       include	system-auth
account    include	system-auth
password   include	system-auth

[root@dhcp231-57 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    optional      pam_pkcs11.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     optional      pam_ldap.so



/var/log/secure has these messages:

Jun 16 19:15:49 dhcp231-57 passwd: pam_unix(passwd:chauthtok): user "testkdcuser" does not exist in /etc/passwd
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: configured realm 'EXAMPLE.COM'
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flags: forwardable
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: no ignore_afs
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: user_check
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: use_authtok
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: no krb4_convert
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: krb4_convert_524
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: krb4_use_as_req
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: will try previously set password first
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: will ask for a password if that fails
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: will let libkrb5 ask questions
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: no use_shmem
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: no external
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: no multiple_ccaches
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: validate
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: flag: warn
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: ticket lifetime: 600
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: renewable lifetime: 86400
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: banner: Kerberos 5
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: ccache dir: /tmp
Jun 16 19:15:49 dhcp231-57 passwd: pam_krb5[7897]: keytab: FILE:/etc/krb5.keytab
Jun 16 19:15:54 dhcp231-57 passwd: pam_krb5[7897]: authenticating 'testkdcuser' to 'kadmin/changepw'
Jun 16 19:16:03 dhcp231-57 passwd: pam_krb5[7897]: saving newly-entered password for use by other modules
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: krb5_get_init_creds_password(kadmin/changepw) returned 0 (Success)
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: Got 0 (Success) acquiring credentials for kadmin/changepw.
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: pam_chauthtok (preliminary check) returning 0 (Success)
Jun 16 19:16:04 dhcp231-57 passwd: pam_unix(passwd:chauthtok): user "testkdcuser" does not exist in /etc/passwd
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: configured realm 'EXAMPLE.COM'
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flags: forwardable
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: no ignore_afs
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: user_check
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: use_authtok
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: no krb4_convert
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: krb4_convert_524
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: krb4_use_as_req
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: will try previously set password first
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: will ask for a password if that fails
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: will let libkrb5 ask questions
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: no use_shmem
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: no external
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: no multiple_ccaches
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: validate
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: flag: warn
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: ticket lifetime: 600
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: renewable lifetime: 86400
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: banner: Kerberos 5
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: ccache dir: /tmp
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: keytab: FILE:/etc/krb5.keytab
Jun 16 19:16:04 dhcp231-57 passwd: pam_krb5[7897]: pam_chauthtok (updating authtok) returning 21 (Authentication information cannot be recovered)

Comment 3 Tomas Mraz 2011-06-17 07:58:04 UTC

I suppose the PAM_AUTHTOK is getting set by pam_krb5 when it asks for the old Kerberos5 password (and smartcard PIN?) in the first pam_sm_chauthtok() pass.

Comment 4 Tomas Mraz 2011-06-17 07:59:06 UTC

It should always set PAM_OLDAUTHTOK instead of PAM_AUTHTOK if it is called in the pam_sm_chauthtok() and asking for the old password.

Comment 5 Nalin Dahyabhai 2011-06-17 13:00:24 UTC

(In reply to comment #3)
> I suppose the PAM_AUTHTOK is getting set by pam_krb5 when it asks for the old
> Kerberos5 password (and smartcard PIN?) in the first pam_sm_chauthtok() pass.

(In reply to comment #4)
> It should always set PAM_OLDAUTHTOK instead of PAM_AUTHTOK if it is called in
> the pam_sm_chauthtok() and asking for the old password.

Okay, I see where it's making that mistake.

Comment 9 Asha Akkiangady 2011-06-21 19:48:07 UTC

Tested with pam_krb5-2.2.14-21.el5, "passwd" command change the kerberos password successfully. Filed a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=715073 for the smart card pin prompt when a correct password is entered.

$ passwd
Changing password for user testkdcuser.
Kerberos 5 Password: 
PIN for TestUserKDC: 
New kerberos password: 
Retype new kerberos password: 
passwd: all authentication tokens updated successfully.


Marking the bug verified.

Comment 10 Eliska Slobodova 2011-07-07 16:04:37 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
An attempt to set a new Kerberos password using the "passwd" command failed due to a bug which was triggered when the smart card authentication method was enabled and the card was plugged in. This problem has been fixed and users are now able to change the Kerberos password.

Comment 11 errata-xmlrpc 2011-07-21 07:48:31 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1016.html