PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account is able to log in.
Acknowledgments: Name: Christian Heimes (Red Hat)
*** Bug 1502898 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2017:2906 https://access.redhat.com/errata/RHSA-2017:2906
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 6 Via RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2904
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 7 Via RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2905
Would it be possible to share the patch for this security issue or has someone forwarded it upstream already?
It's been resolved in upstream, keycloak 3.3.0.Final. [https://issues.jboss.org/browse/KEYCLOAK-5551]
Created libpam4j tracking bugs for this issue: Affects: fedora-all [bug 1511366]
closing, this has been resolved in RHSSO and Fedora trackers filed.
Created jenkins-pam-auth-plugin tracking bugs for this issue: Affects: fedora-all [bug 1639395]