| Summary: | Smart card login with Kerberos credential: passwd command to change the kerberos password request smart card pin. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Asha Akkiangady <aakkiang> | ||||
| Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5.7 | CC: | ckannan, dpal, jgalipea, jmagne, ohudlick, prc | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pam_krb5-2.2.14-22.el5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-02-21 06:17:33 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Asha Akkiangady
2011-06-21 19:34:17 UTC
If you enter the correct password, that shouldn't be happening. Please attach the debug log. /var/log/secure messages when a correct kerberos password and an in-correct smart card pin is entered: Jun 21 16:03:44 dhcp231-57 passwd: pam_krb5[5513]: authenticating 'testkdcuser' to 'kadmin/changepw' Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: krb5_get_init_creds_password(kadmin/changepw) returned 0 (Success) Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: Got 0 (Success) acquiring credentials for kadmin/changepw. Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: pam_chauthtok (preliminary check) returning 0 (Success) Jun 21 16:05:47 dhcp231-57 passwd: pam_unix(passwd:chauthtok): user "testkdcuser" does not exist in /etc/passwd Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: configured realm 'EXAMPLE.COM' Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flags: forwardable Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no ignore_afs Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: user_check Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: use_authtok Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no krb4_convert Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: krb4_convert_524 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: krb4_use_as_req Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will try previously set password first Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will ask for a password if that fails Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will let libkrb5 ask questions Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no use_shmem Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no external Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no multiple_ccaches Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: validate Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: warn Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: ticket lifetime: 1860 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: renewable lifetime: 0 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: banner: Kerberos 5 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: ccache dir: /tmp Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: keytab: FILE:/etc/krb5.keytab Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: password changed for testkdcuser Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: obtaining credentials using new password for 'testkdcuser' Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: authenticating 'testkdcuser' to 'krbtgt/EXAMPLE.COM' Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM) returned 0 (Success) Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: validating credentials Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: error reading keytab 'FILE:/etc/krb5.keytab' Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: TGT verified Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: pam_chauthtok (updating authtok) returning 0 (Success) Created attachment 506088 [details]
proposed patch, not well-tested
Zbysek, yes, this will be tested in RHEL-5.8. Tested changing password for a kerberos user logged in with a smart card. Pam configuration: # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password optional pam_pkcs11.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so Kerberos password changed successfully when old and new kerberos passwords entered successfully. No mention of smart card pin. $ passwd Changing password for user kdcuser. Cannot change the password on your smart card. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. When an in-correct kerberos password is entered, the authentication falls into LDAP auth, when old and new ldap passwords entered, ldap password changed successfully. sh-3.2$ passwd Changing password for user kdcuser. Cannot change the password on your smart card. Kerberos 5 Password: Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for kdcuser passwd: all authentication tokens updated successfully. Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0246.html |