First Last Prev Next    This bug is not in your last search results.
Bug 435168 - User cannot authenticate if the password has been expired and option validate is used.
User cannot authenticate if the password has been expired and option validate...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
3.9
All Linux
urgent Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-27 13:38 EST by Jose Plans
Modified: 2010-10-22 18:50 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-04 18:52:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pam_krb5-novalidate_on_cpw.patch <pbatkowski@redhat.com> (2.81 KB, patch)
2008-02-27 13:41 EST, Jose Plans 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jose Plans 2008-02-27 13:38:16 EST 
Description of problem:

(Description from customer)
The option "validate" is used for pam_krb5's auth module. When a user logs in
with an expired passwd, pam_krb5 will request a ticket for kadmin/changepw
instead of krbtgt. The ticket from kadmin/changepw can't be used to request a
service ticket for a local host to verify the local host identity. As a result,
the user authentication failed.  Turning off "validate" works, but will decrease
the security.

The proper behavior should be:
When pam_sm_authenticate request ticket for kadmin/changepw, it should not
validate the local host identity. Then it should return PAM_NEW_AUTHTOK_REQD.
When pam_sm_chauthtok is called, it should change the pwd, and use the new pwd
to validate the local host.

Version-Release number of selected component (if applicable):
pam_krb5-1.79-1

How reproducible:
Always

Steps to Reproduce:

1) Build a RHEL 3 U9 box and make sure you are using the latest pam_krb5-1.79-1
package (behavior also occurs with older versions as well).

2) Add host key to kdc and add the generated key to the client's keytab file.

addprinc -randkey host/hostname
ktadd -k /etc/krb5.keytab host/hostname

3) Setup system-auth to do auth and password sections using pam_krb5. Add the
'validate' option to the auth section of the pam_krb5 module in system-auth.

4) Expire the user's password on the kdc. (modprinc -pwexpire "01/01" user03)

5) Try to log into the client, you will hit the condition in pam_krb5afs.c:2059:

krc = krb5_verify_init_creds(context,
                            &stash->v5_creds,
                            NULL,
                            NULL,
                            NULL,
                            NULL);
if (krc == KRB5_SUCCESS) {
   INFO("TGT for %s successfully verified", user);
} else {
   CRIT("TGT verification failed for `%s'");
}

krb5_verify_init_creds will fail with the password changing credentials and the
user will never be prompted for a password change.

Actual results:
Authentication failure

Expected results:
Authentication succeed after tgt validation.

Additional info:
Patch attached and fixing the issue, written by Paul Batkowski
<pbatkowski@redhat.com>
Comment 1 Jose Plans 2008-02-27 13:41:53 EST 
Created attachment 296104 [details]
pam_krb5-novalidate_on_cpw.patch <pbatkowski@redhat.com>
Comment 12 errata-xmlrpc 2008-08-04 18:52:16 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0813.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.