Description of problem: When running the 'passwd' command, if the password change is denied because it fails to meet policy (in my case, I was attempting to change passwords against a kerberos server - using SSSD, though it should also be the same with pam_krb5 - with a password that did not have sufficient character classes), the password change for the user fails, but the password for the default keyring ('login') is still updated. The reason for this, I suspect, is the pam.d configurations: /etc/pam.d/passwd: auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so /etc/pam.d/system-auth: ... password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so ... In layman's terms, even though pam_unix.so or pam_sss.so may have both returned failure to update the password, the password change operation still falls into the pam_gnome_keyring.so and is updated (assuming that the password at least met with cracklib.so requirements). Version-Release number of selected component (if applicable): gnome-keyring-2.28.2-2.fc12.x86_64 pam-1.1.0-7.fc12.x86_64 How reproducible: Every time Steps to Reproduce: 1. Set up an authentication server with a server-side password policy in place (I was using Kerberos, with a restriction of four or more character classes in place.) 2. Run 'passwd' and attempt to change passwords to something that would pass cracklib, but fail the server-side policy restrictions. (I used a password that only used two character classes - lowercase letters and numbers) 3. The Kerberos server will refuse to update the password, but the gnome-keyring will update to use the new password. This is troublesome, because it's not obvious that this has occurred until the next time a user needs to unlock the 'login' keychain, often only when that user logs on to the system. In some use-cases, this could be days later, and the user may not remember by this time what the new password was. Actual results: The login password provided by the server remains unchanged, but the gnome 'login' keyring is updated, desynchronizing them. Expected results: ideal: The 'login' keyring should remain unchanged if the password has not truly been changed. minimum: The PAM conversation for 'passwd' should always include a notice that the keyring was updated, so that the user will at least know immediately that the gnome-keyring has been changed. Additional info:
pam_gnome_keyring should support use_authtok option which would make it to never prompt for password. The previous modules in the password stack will/should clean up the relevant pam items (PAM_OLDAUTHTOK, PAM_AUTHTOK) on failure.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Could someone please take a look at this issue? It's fairly serious and can easily result in a user being unable to access their login keyring.
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping