Created attachment 350079 [details] Proposed patch Description of problem: The fix for bug #402721 has introduced a regression in different graphical tools that deal with authentication, namely kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc. Version-Release number of selected component (if applicable): pam_krb5-2.2.14-10 How reproducible: 100% reproducible Steps to Reproduce: 1. Set up a client to be authenticated with kerberos 2. Login into KDE with that user 3. Lock screen 4. At Krb server, expire the password of the user using kadmin.local 5. try to unlock screen at client Actual results: Screensaver tells the password has expired. Clicking on OK shows another box saying "Cannot unlock the session because the authentication system failed to work. You must kill kdesktop_lock manually". The screen does not unlock. Expected results: kscreensaver prompts for changing the password and upon success, unlock the screen. Additional info: This problem also affects kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc. in various ways. - kdm login: ask for current passwd once, new passwd at infinity, cannot log in, flag is not reset. - kdm login with unexpired password: hang, cannot log in. - kde unlock: cannot unlock, you must kill kdesktop_lock manually. - gdm login: ask for current passwd twice, new passwd twice, log in and reset flag correctly. - gnome unlock: doesn't ask to change passwd, unlock but doesn't reset flag. The attached proposed patch makes the change for bug #402721 optional, selectable from the pam service. This would allow for a smoother upgrade for package that rely on libkrb5 for the password change prompt. But such a change would also require a fix/modification in "system-config-authentication" because the pam services need to be adapted depending on the application used. For example, with the kscreensaver problem, we would need to: - duplicate "system-auth" as "system-auth-compat" - add the option "chpw_prompt" to "system-auth-compat" for pam_krb5 - include "system-auth-compat" in place of "system-auth" for apps that rely on libkrb5's prompt-for-password-change-when-getting-initial-creds Note: It seems other pam_krb5 implementations may have chosen a similar approach to the problem, see http://git.eyrie.org/?p=kerberos/pam-krb5.git;a=commitdiff;h=cb79a67afb345cb94ceaf95c2c5d58b0b4874422 for Debian's http://www.eyrie.org/~eagle/software/pam-krb5/
Makes perfect sense, and the patch looks good. We can add some additional machinery to the configure script to let the default set of services for which this is enabled be set at build-time and have the .spec file use that. If we have the exact list, that'll be very helpful in building a package with the fix.
Created attachment 350263 [details] Proposed patch (updated) Ok, actually, to be able to pass a list of services in krb5.conf, the logic of the parsing needs to be changed slightly to actually parse the list if the option is not set explicitly. So this new patch add this logic, parse the list of services passed to the option "chpw_prompt" (the additional code is actually similar to the other options that accept a list of services, e.g. "tokens", "use_shmem", "external", "validate", etc.). So please consider this patch in place of the original one. With that patch, the following option added in krb5.conf in section [appdefaults] pam {...} make kdm, gdm, kscreensaver, kdesktop-lock and gnome-screensaver behave correctly when the kerberos password as expired: chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver E.g: [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver }
Event posted on 07-31-2009 05:48am EDT by spoyarek vlock seems to be affected by this as well. Fixed with the patch. This event sent from IssueTracker by spoyarek issue 312727
Created attachment 359512 [details] Proposed patch (updated) To allow chaining PAM modules, PAM_AUTHTOK needs to be updated if the password is changed. Attaching a new patch that additionally updates PAM_AUTHTOK and PAM_OLDAUTHTOK for other PAM module to work when the password was changed. This patch is based on our customer's own patch.
Created attachment 361721 [details] proposed patch Tweaks Olivier's patch to only set PAM_AUTHTOK (PAM_OLDAUTHTOK is only used when PAM's doing password-changing, so we don't need to bother with it) and to expand on the documentation.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0258.html