Description of problem: When expiring passwords, pam_chauthtok() doesn't seem to be initialised with an already flushed pair of authentication tokens when using pam_stack.so. In fact, when debugging the pam_stack debug output we could see PAM_AUTHTOK was not NULL forcing pam modules to not prompt for a password change which allowed an authentication. After speaking with Tomas this is considered a bug since pam_stack.so doesn't drop PAM_AUTHTOK from a child when its parent didn't have it setup. The original code doesn't seem to take this in account and after making the changes it solved the issue. Using pam_stack.so instead of a explicit pam configuration such as system-auth Version-Release number of selected component (if applicable): pam-0.77-66.23 How reproducible: Always Steps to Reproduce: 1. Install pam_unix2 2. Setup a stack with pam_stack as follows: % cat /etc/pam.d/pamtest -- #%PAM-1.0 auth required /lib/security/$ISA/pam_stack.so service=system-auth debug auth required /lib/security/$ISA/pam_nologin.so account required /lib/security/$ISA/pam_stack.so service=system-auth debug password required /lib/security/$ISA/pam_stack.so service=system-auth debug session required /lib/security/$ISA/pam_stack.so service=system-auth debug session required /lib/security/$ISA/pam_loginuid.so -- % cat /etc/pam.d/system-auth -- auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_shells.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_unix2.so set_secrpc auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_access.so account required /lib/security/$ISA/pam_unix2.so password sufficient /lib/security/$ISA/pam_unix2.so password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session optional /lib/security/$ISA/pam_mkhomedir.so session required /lib/security/$ISA/pam_unix2.so 3. Expire the user password. 4. Use a pam client (I have attached the one we used to replicate this issue). 5. Try to authenticate the user. Actual results: PAM authentication Password: PAM authentication Your password has expired. Choose a new password. PAM authentication Old Password: PAM authentication <---------- falls through never prompting for new password. NIS+ password information changed for bogo21000 NIS+ credential information changed for bogo21000 PAM authentication Password changed. Expected results: PAM authentication Password: PAM authentication Your password has expired. Choose a new password. PAM authentication Old Password: PAM authentication New password: <------- New password prompt shows PAM authentication Re-enter new password: PAM authentication NIS+ password information changed for bogo21000 NIS+ credential information changed for bogo21000 PAM authentication Password changed. Additional info: Attachments: - proposed patch - logs from pam_stack showing this behavior - pamtest.c Let me know if there is anything else we need to provide. Jose
Created attachment 208011 [details] proposed patch
Created attachment 208021 [details] pam_stack.log
Created attachment 208031 [details] pamtest.c
Created attachment 208071 [details] Correct patch This is a correct patch. I'm not sure we should fix this pam_stack behavior though. The reasons: 1. pam_stack is deprecated in RHEL-5 2. Although the current behavior is strictly speaking a bug some other customers configurations might depend on this exact behavior and they will break if we fix this. So instead I simply recommend the customer to work around this bug by simply not using pam_stack. Or just move the pam_unix2 out of the system-auth.
Created attachment 269941 [details] Patch implementing this as optional behavior.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0707.html