Bug 509092 - pam_krb5 update breaks graphical apps (gnome and kde)
pam_krb5 update breaks graphical apps (gnome and kde)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
: Patch, Regression
Depends On:
Blocks: 5.5TechNotes-Updates
  Show dependency treegraph
 
Reported: 2009-07-01 06:21 EDT by Olivier Fourdan
Modified: 2013-03-03 21:48 EST (History)
6 users (show)

See Also:
Fixed In Version: pam_krb5-2.2.14-15
Doc Type: Bug Fix
Doc Text:
Certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 04:33:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (3.45 KB, patch)
2009-07-01 06:21 EDT, Olivier Fourdan
no flags Details | Diff
Proposed patch (updated) (3.74 KB, patch)
2009-07-02 07:12 EDT, Olivier Fourdan
no flags Details | Diff
Proposed patch (updated) (4.37 KB, patch)
2009-09-02 08:08 EDT, Olivier Fourdan
no flags Details | Diff
proposed patch (6.77 KB, patch)
2009-09-18 18:11 EDT, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Olivier Fourdan 2009-07-01 06:21:08 EDT
Created attachment 350079 [details]
Proposed patch

Description of problem:

The fix for bug #402721 has introduced a regression in different graphical tools that deal with authentication, namely kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc.

Version-Release number of selected component (if applicable):

pam_krb5-2.2.14-10

How reproducible:

100% reproducible

Steps to Reproduce:

1. Set up a client to be authenticated with kerberos
2. Login into KDE with that user
3. Lock screen
4. At Krb server, expire the password of the user using kadmin.local
5. try to unlock screen at client
  
Actual results:

Screensaver tells the password has expired. 

Clicking on OK shows another box saying "Cannot unlock the session because the authentication system failed to work. You must kill kdesktop_lock manually". 

The screen does not unlock.

Expected results:

kscreensaver prompts for changing the password and upon success, unlock the screen.

Additional info:

This problem also affects kscreensaver, gnome-screensaver. gdm, kdesktop_lock, etc. in various ways.

- kdm login: ask for current passwd once, new passwd at infinity, cannot log in, flag is not reset.
- kdm login with unexpired password: hang, cannot log in.
- kde unlock: cannot unlock, you must kill kdesktop_lock manually.
- gdm login: ask for current passwd twice, new passwd twice, log in and reset flag correctly.
- gnome unlock: doesn't ask to change passwd, unlock but doesn't reset flag.

The attached proposed patch makes the change for bug #402721 optional, selectable from the pam service. This would allow for a smoother upgrade for package that rely on libkrb5 for the password change prompt.

But such a change would also require a fix/modification in "system-config-authentication" because the pam services need to be adapted depending on the application used.

For example, with the kscreensaver problem, we would need to:

- duplicate "system-auth" as "system-auth-compat"
- add the option "chpw_prompt" to "system-auth-compat" for pam_krb5
- include "system-auth-compat" in place of "system-auth" for apps that rely on libkrb5's prompt-for-password-change-when-getting-initial-creds

Note: It seems other pam_krb5 implementations may have chosen a similar approach to the problem, see http://git.eyrie.org/?p=kerberos/pam-krb5.git;a=commitdiff;h=cb79a67afb345cb94ceaf95c2c5d58b0b4874422 for Debian's http://www.eyrie.org/~eagle/software/pam-krb5/
Comment 2 Nalin Dahyabhai 2009-07-01 11:40:39 EDT
Makes perfect sense, and the patch looks good.  We can add some additional machinery to the configure script to let the default set of services for which this is enabled be set at build-time and have the .spec file use that.  If we have the exact list, that'll be very helpful in building a package with the fix.
Comment 4 Olivier Fourdan 2009-07-02 07:12:36 EDT
Created attachment 350263 [details]
Proposed patch (updated)

Ok, actually, to be able to pass a list of services in krb5.conf, the logic of the parsing needs to be changed slightly to actually parse the list if the option is not set explicitly.

So this new patch add this logic, parse the list of services passed to the option "chpw_prompt" (the additional code is actually similar to the other options that accept a list of services, e.g. "tokens", "use_shmem", "external", "validate", etc.).

So please consider this patch in place of the original one.

With that patch, the following option added in krb5.conf in section [appdefaults] pam {...} make kdm, gdm, kscreensaver, kdesktop-lock and gnome-screensaver behave correctly when the kerberos password as expired:

   chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver

E.g:

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   chpw_prompt = kcheckpass kscreensaver gdm gnome-screensaver
 }
Comment 5 Issue Tracker 2009-07-31 05:48:38 EDT
Event posted on 07-31-2009 05:48am EDT by spoyarek

vlock seems to be affected by this as well. Fixed with the patch.


This event sent from IssueTracker by spoyarek 
 issue 312727
Comment 6 Olivier Fourdan 2009-09-02 08:08:48 EDT
Created attachment 359512 [details]
Proposed patch (updated)

To allow chaining PAM modules, PAM_AUTHTOK needs to be updated if the password is changed.

Attaching a new patch that additionally updates PAM_AUTHTOK and PAM_OLDAUTHTOK for other PAM module to work when the password was changed.

This patch is based on our customer's own patch.
Comment 9 Nalin Dahyabhai 2009-09-18 18:11:49 EDT
Created attachment 361721 [details]
proposed patch

Tweaks Olivier's patch to only set PAM_AUTHTOK (PAM_OLDAUTHTOK is only used when PAM's doing password-changing, so we don't need to bother with it) and to expand on the documentation.
Comment 15 Nalin Dahyabhai 2010-02-04 18:46:07 EST
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed.  This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications.  If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior.
Comment 18 errata-xmlrpc 2010-03-30 04:33:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0258.html

Note You need to log in before you can comment on or make changes to this bug.