Description of problem: During a user's login, if the user's password has expired, pam_krb5's pam_sm_authenticate tries to change the user's password, instead of getting ticket for changepw/kadmin, and returning PAM_SUCCESS. The password expiration condition should be caught by pam_sm_acct_mgmt of pam_krb5 so that applications can call pam_chauthtok. This makes password changing impossible. When the ill-behaving open sshd is used, it saves the current password a user types in, and will always feeds the saved passwords for any prompts from pam_authenticate. This means, when pam_krb5's pam_sm_authenticate asks for the new password, it will get the user's current password saved and fed by the open sshd. Users don't see password changing prompts. If the Kerbereros principal, doesn 't have a password policy, the password changing will successful, but the new password is always the same as the old one. If the user account has a password policy, the password changing will fail. When the well behaving telnetd or Tectia sshd is used, all password checking pam modules are by-passed. In addition, if krb5.conf has a salve KDC, pam_acct_mgmt of pam_krb5 will return PAM_NEW_AUTHTOK_REQD because the new password has not been synced to the salve KDC yet. The user will see the second password changing prompt. The second password changing will faill if a password policy is enforced. Version-Release number of selected component (if applicable): pam_krb5 2.2.14-3 How reproducible: Always. Steps to Reproduce: 1. Setup pam_krb5 against a KDC 2. Expire the password from one of the users 3. Try to login via ssh -- $ ssh paul paul's password: Warning: password has expired. <------ expired password warning Last login: Mon Nov 12 13:48:54 2007 from ahost.somewhere paul@hostname $ -- Notice that we are not prompted to change any password. Logs are as follows: -- Nov 15 18:24:05 vm6 sshd[6784]: pam_krb5[6784]: auth.c:259: retval = 7 Nov 15 18:24:05 vm6 sshd[6784]: pam_krb5[6784]: saving newly-entered password for use by other modules Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: trying newly-entered password for 'paul', allowing libkrb5 to prompt for more Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: authenticating 'paul' to 'krbtgt/NAUSEA.COM' Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: v5.c:506: attempting with password="redhat" Nov 15 17:10:47 vm6 pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0 Not Found Nov 15 17:10:47 vm6 last message repeated 3 times *** NOTE the 2 lines below - libkrb5 asks and pam_krb5 just uses the expired password as the new password! Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: prompter.c:316: libkrb5 asked for "Enter new password", default was "redhat", returning "redhat" Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: prompter.c:316: libkrb5 asked for "Enter it again", default was "", returning "redhat" **** Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: v5.c:523: krb5_get_init_creds_password(krbtgt/NAUSEA.COM) returned 0 (Success) Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: got result 0 (Success) Nov 15 17:10:47 vm6 sshd[6784]: pam_krb5[6784]: authentication succeeds for 'paul' (paul) -- Actual results: No prompt. Expected results: Prompt. Additional info: This seems to come from the fact we pass a prompter to krb5_get_init_creds_password() making the function change the password in the KDC. One of the workarounds is to switch to keyboard interaction authentication for sshd: PasswordAuthentication no ChallengeResponseAuthentication yes Let me know if you need more details Nalin, Jose
Created attachment 278691 [details] current proposed patch The version of libkrb5 in 5.1 lets us disable this behavior directly, which I think will solve this.
This problem still seems to exist in RHEL5.1 . I'm seeing the exact same symptoms as Jose and the same workaround fixes the problem. Nalin, does one need to edit /etc/pam.d/system-auth to benefit from your patch? Thanks, -M
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
(In reply to comment #8) > This problem still seems to exist in RHEL5.1 . I'm seeing the exact same > symptoms as Jose and the same workaround fixes the problem. Nalin, does one need > to edit /etc/pam.d/system-auth to benefit from your patch? This bug was reported against 5.1, so it needed to be fixed at some point after that. It should be fixed with the next update to this package.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0135.html
*** Bug 460406 has been marked as a duplicate of this bug. ***