Bug 435168 - User cannot authenticate if the password has been expired and option validate is used.
User cannot authenticate if the password has been expired and option validate...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
urgent Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2008-02-27 13:38 EST by Jose Plans
Modified: 2010-10-22 18:50 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-04 18:52:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pam_krb5-novalidate_on_cpw.patch <pbatkowski@redhat.com> (2.81 KB, patch)
2008-02-27 13:41 EST, Jose Plans
no flags Details | Diff

  None (edit)
Description Jose Plans 2008-02-27 13:38:16 EST
Description of problem:

(Description from customer)
The option "validate" is used for pam_krb5's auth module. When a user logs in
with an expired passwd, pam_krb5 will request a ticket for kadmin/changepw
instead of krbtgt. The ticket from kadmin/changepw can't be used to request a
service ticket for a local host to verify the local host identity. As a result,
the user authentication failed.  Turning off "validate" works, but will decrease
the security.

The proper behavior should be:
When pam_sm_authenticate request ticket for kadmin/changepw, it should not
validate the local host identity. Then it should return PAM_NEW_AUTHTOK_REQD.
When pam_sm_chauthtok is called, it should change the pwd, and use the new pwd
to validate the local host.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1) Build a RHEL 3 U9 box and make sure you are using the latest pam_krb5-1.79-1
package (behavior also occurs with older versions as well).

2) Add host key to kdc and add the generated key to the client's keytab file.

addprinc -randkey host/hostname
ktadd -k /etc/krb5.keytab host/hostname

3) Setup system-auth to do auth and password sections using pam_krb5. Add the
'validate' option to the auth section of the pam_krb5 module in system-auth.

4) Expire the user's password on the kdc. (modprinc -pwexpire "01/01" user03)

5) Try to log into the client, you will hit the condition in pam_krb5afs.c:2059:

krc = krb5_verify_init_creds(context,
if (krc == KRB5_SUCCESS) {
   INFO("TGT for %s successfully verified", user);
} else {
   CRIT("TGT verification failed for `%s'");

krb5_verify_init_creds will fail with the password changing credentials and the
user will never be prompted for a password change.

Actual results:
Authentication failure

Expected results:
Authentication succeed after tgt validation.

Additional info:
Patch attached and fixing the issue, written by Paul Batkowski
Comment 1 Jose Plans 2008-02-27 13:41:53 EST
Created attachment 296104 [details]
pam_krb5-novalidate_on_cpw.patch <pbatkowski@redhat.com>
Comment 12 errata-xmlrpc 2008-08-04 18:52:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.