Bug 402721 - pam_krb5 password changing problem
pam_krb5 password changing problem
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
5.1
All Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
: 460406 (view as bug list)
Depends On:
Blocks: 391501
  Show dependency treegraph
 
Reported: 2007-11-28 08:42 EST by Jose Plans
Modified: 2010-10-22 16:48 EDT (History)
4 users (show)

See Also:
Fixed In Version: 2.2.14-5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:19:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
current proposed patch (1.71 KB, patch)
2007-12-05 14:08 EST, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Jose Plans 2007-11-28 08:42:16 EST
Description of problem:

During a user's login, if  the user's password has expired, pam_krb5's
pam_sm_authenticate tries to change the user's password, instead of  getting
ticket for changepw/kadmin, and returning PAM_SUCCESS. The password expiration
condition should be caught by pam_sm_acct_mgmt of pam_krb5 so that applications
can call pam_chauthtok.

This makes password changing impossible.

When the ill-behaving open sshd is used, it saves the current password a user
types in, and will always feeds the saved passwords for any prompts from
pam_authenticate. This means, when pam_krb5's pam_sm_authenticate asks for the
new password,  it will get the user's current password saved and fed by the open
sshd. Users don't see password changing prompts. If the Kerbereros principal,
doesn 't have a password policy, the password changing will successful, but the
new password is always the same as the old one.  If the user account has a
password policy, the password changing will fail.

When the well behaving telnetd or Tectia sshd is used, all password checking pam
modules are by-passed. In addition, if krb5.conf has a salve KDC, pam_acct_mgmt
of pam_krb5 will return PAM_NEW_AUTHTOK_REQD because the new password has not
been synced to the salve KDC yet. The user will see the second password changing
prompt. The second password changing will faill if a password policy is enforced.

Version-Release number of selected component (if applicable):
pam_krb5 2.2.14-3

How reproducible:
Always.

Steps to Reproduce:
1. Setup pam_krb5 against a KDC
2. Expire the password from one of the users
3. Try to login via ssh
--
$ ssh paul@hostname.network
paul@hostname.network's password:
Warning: password has expired.  <------ expired password warning
Last login: Mon Nov 12 13:48:54 2007 from ahost.somewhere

paul@hostname $
--
Notice that we are not prompted to change any password.
Logs are as follows:

--
Nov 15 18:24:05 vm6 sshd[6784]: pam_krb5[6784]: auth.c:259: retval = 7
Nov 15 18:24:05 vm6 sshd[6784]: pam_krb5[6784]: saving newly-entered password
for use by other modules
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: trying newly-entered password
for 'paul', allowing libkrb5 to prompt for more
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: authenticating 'paul@NAUSEA.COM'
to 'krbtgt/NAUSEA.COM@NAUSEA.COM'
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: v5.c:506: attempting with
password="redhat"
Nov 15 17:10:47 vm6 pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found
Nov 15 17:10:47 vm6 last message repeated 3 times

*** NOTE the 2 lines below - libkrb5 asks and pam_krb5 just uses the expired
password as the new password!

Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: prompter.c:316: libkrb5 asked
for "Enter new password", default was "redhat", returning "redhat"
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: prompter.c:316: libkrb5 asked
for "Enter it again", default was "", returning "redhat"
****

Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: v5.c:523:
krb5_get_init_creds_password(krbtgt/NAUSEA.COM@NAUSEA.COM) returned 0 (Success)
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: got result 0 (Success)
Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: authentication succeeds for
'paul' (paul@NAUSEA.COM)
--

Actual results:
No prompt.

Expected results:
Prompt.

Additional info:

This seems to come from the fact we pass a prompter to
krb5_get_init_creds_password() making the function change the password in the KDC.

One of the workarounds is to switch to keyboard interaction authentication for
sshd: 

PasswordAuthentication no
ChallengeResponseAuthentication yes

Let me know if you need more details Nalin,
     Jose
Comment 1 Nalin Dahyabhai 2007-12-05 14:08:35 EST
Created attachment 278691 [details]
current proposed patch

The version of libkrb5 in 5.1 lets us disable this behavior directly, which I
think will solve this.
Comment 8 Mark-Jan de Jong 2008-05-20 16:57:53 EDT
This problem still seems to exist in RHEL5.1 . I'm seeing the exact same
symptoms as Jose and the same workaround fixes the problem. Nalin, does one need
to edit /etc/pam.d/system-auth to benefit from your patch?

Thanks,
-M
Comment 9 RHEL Product and Program Management 2008-06-02 16:27:41 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Nalin Dahyabhai 2008-09-04 16:08:54 EDT
(In reply to comment #8)
> This problem still seems to exist in RHEL5.1 . I'm seeing the exact same
> symptoms as Jose and the same workaround fixes the problem. Nalin, does one need
> to edit /etc/pam.d/system-auth to benefit from your patch?

This bug was reported against 5.1, so it needed to be fixed at some point after that.  It should be fixed with the next update to this package.
Comment 14 errata-xmlrpc 2009-01-20 16:19:32 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0135.html
Comment 16 Nalin Dahyabhai 2009-05-05 09:05:16 EDT
*** Bug 460406 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.