Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 509092

Summary: pam_krb5 update breaks graphical apps (gnome and kde)
Product: Red Hat Enterprise Linux 5 Reporter: Olivier Fourdan <ofourdan>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: cward, kem, maarten, rlerch, syeghiay, tao
Target Milestone: rcKeywords: Patch, Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam_krb5-2.2.14-15 Doc Type: Bug Fix
Doc Text:
Certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-30 08:33:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 541103    
Attachments:
Description Flags
Proposed patch
none
Proposed patch (updated)
none
Proposed patch (updated)
none
proposed patch none

Description Olivier Fourdan 2009-07-01 10:21:08 UTC 
Created attachment 350079 [details]
Proposed patch

Description of problem:

The fix for bug #402721 has introduced a regression in different graphical tools that deal with authentication, namely kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc.

Version-Release number of selected component (if applicable):

pam_krb5-2.2.14-10

How reproducible:

100% reproducible

Steps to Reproduce:

1. Set up a client to be authenticated with kerberos
2. Login into KDE with that user
3. Lock screen
4. At Krb server, expire the password of the user using kadmin.local
5. try to unlock screen at client
  
Actual results:

Screensaver tells the password has expired. 

Clicking on OK shows another box saying "Cannot unlock the session because the authentication system failed to work. You must kill kdesktop_lock manually". 

The screen does not unlock.

Expected results:

kscreensaver prompts for changing the password and upon success, unlock the screen.

Additional info:

This problem also affects kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc. in various ways.

- kdm login: ask for current passwd once, new passwd at infinity, cannot log in, flag is not reset.
- kdm login with unexpired password: hang, cannot log in.
- kde unlock: cannot unlock, you must kill kdesktop_lock manually.
- gdm login: ask for current passwd twice, new passwd twice, log in and reset flag correctly.
- gnome unlock: doesn't ask to change passwd, unlock but doesn't reset flag.

The attached proposed patch makes the change for bug #402721 optional, selectable from the pam service. This would allow for a smoother upgrade for package that rely on libkrb5 for the password change prompt.

But such a change would also require a fix/modification in "system-config-authentication" because the pam services need to be adapted depending on the application used.

For example, with the kscreensaver problem, we would need to:

- duplicate "system-auth" as "system-auth-compat"
- add the option "chpw_prompt" to "system-auth-compat" for pam_krb5
- include "system-auth-compat" in place of "system-auth" for apps that rely on libkrb5's prompt-for-password-change-when-getting-initial-creds

Note: It seems other pam_krb5 implementations may have chosen a similar approach to the problem, see http://git.eyrie.org/?p=kerberos/pam-krb5.git;a=commitdiff;h=cb79a67afb345cb94ceaf95c2c5d58b0b4874422 for Debian's http://www.eyrie.org/~eagle/software/pam-krb5/
Comment 2 Nalin Dahyabhai 2009-07-01 15:40:39 UTC 
Makes perfect sense, and the patch looks good.  We can add some additional machinery to the configure script to let the default set of services for which this is enabled be set at build-time and have the .spec file use that.  If we have the exact list, that'll be very helpful in building a package with the fix.
Comment 4 Olivier Fourdan 2009-07-02 11:12:36 UTC 
Created attachment 350263 [details]
Proposed patch (updated)

Ok, actually, to be able to pass a list of services in krb5.conf, the logic of the parsing needs to be changed slightly to actually parse the list if the option is not set explicitly.

So this new patch add this logic, parse the list of services passed to the option "chpw_prompt" (the additional code is actually similar to the other options that accept a list of services, e.g. "tokens", "use_shmem", "external", "validate", etc.).

So please consider this patch in place of the original one.

With that patch, the following option added in krb5.conf in section [appdefaults] pam {...} make kdm, gdm, kscreensaver, kdesktop-lock and gnome-screensaver behave correctly when the kerberos password as expired:

   chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver

E.g:

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver
 }
Comment 5 Issue Tracker 2009-07-31 09:48:38 UTC 
Event posted on 07-31-2009 05:48am EDT by spoyarek

vlock seems to be affected by this as well. Fixed with the patch.


This event sent from IssueTracker by spoyarek 
 issue 312727
Comment 6 Olivier Fourdan 2009-09-02 12:08:48 UTC 
Created attachment 359512 [details]
Proposed patch (updated)

To allow chaining PAM modules, PAM_AUTHTOK needs to be updated if the password is changed.

Attaching a new patch that additionally updates PAM_AUTHTOK and PAM_OLDAUTHTOK for other PAM module to work when the password was changed.

This patch is based on our customer's own patch.
Comment 9 Nalin Dahyabhai 2009-09-18 22:11:49 UTC 
Created attachment 361721 [details]
proposed patch

Tweaks Olivier's patch to only set PAM_AUTHTOK (PAM_OLDAUTHTOK is only used when PAM's doing password-changing, so we don't need to bother with it) and to expand on the documentation.
Comment 15 Nalin Dahyabhai 2010-02-04 23:46:07 UTC 
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed.  This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications.  If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior.
Comment 18 errata-xmlrpc 2010-03-30 08:33:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0258.html