Red Hat Bugzilla – Bug 1032140
vlock doesn't perform PAM account management or credential reinitialization
Last modified: 2014-06-18 03:33:29 EDT
+++ This bug was initially created as a clone of Bug #913311 +++
Description of problem:
The 'vlock' command no longer performs PAM account management (authorization checking) or credential reinitialization.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run 'vlock' or 'vlock -a'
After checking the user's password,
After calling pam_authenticate(), vlock should be calling pam_acct_mgmt(), and if that fails, rejecting the unlock attempt. If it succeeds, it should be calling pam_setcred() with the PAM_REINITIALIZE_CRED flag.
--- Additional comment from Fedora End Of Life on 2013-04-03 13:57:02 EDT ---
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
--- Additional comment from Vadim Raskhozhev on 2013-04-12 14:25:21 EDT ---
A possible workaround is to create a file /etc/pam.d/vlock with something like
auth include system-auth
account required pam_permit.so
(this is taken from vlock-1.3-33.fc18).
--- Additional comment from Nalin Dahyabhai on 2013-04-12 14:32:40 EDT ---
That'd take care of part of it (as in bug #913309), but without code changes it's not going to detect things like passwords having expired or (depending on how it's done) accounts being locked.
--- Additional comment from Walter Francis on 2013-07-02 10:01:29 EDT ---
vlock on F19 for me just goes nuts saying invalid password when ran until the workaround in comment 2 and now it works as expected for me, at least it the case of "Normal user, valid password, ran vlock, unlocked." Don't know about the other use cases.
--- Additional comment from Vitezslav Crhonek on 2013-11-13 09:14:28 EST ---
--- Additional comment from Vitezslav Crhonek on 2013-11-13 09:18:00 EST ---
Nalin, I'm not familiar with PAM API, would the patch above suffice?
--- Additional comment from Nalin Dahyabhai on 2013-11-13 11:26:42 EST ---
The formatting for the error reporting looks a bit weird, but yes, it roughly matches what the old vlock did, and should work for our purposes.
One thing that the PAM docs (pam_acct_mgmt(3)) recommend is calling pam_chauthtok() if pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD and the application has the ability to walk the user through changing their password, but that's less urgent -- the old vlock didn't do that, either.
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.