Hide Forgot
Description of problem: Login with a smart card with kerberos authentication. Executing 'passwd' requests smart card pin twice. Version-Release number of selected component (if applicable): Rhel 6.1, pam_krb5-2.3.11-6.el6.x86_64 How reproducible: Steps to Reproduce: 1. Login with a smart card with Kerberos authentication. 2. Kerberos credentials issued successfully. 3. Execute a 'passwd' command 4. provide an incorrect unix password 5. Smart card pin is requested. Enter the correct pin. Actual results: 6. Smart card pin is requested again. 7. Provide the correct pin, new password is requested. 8. Enter the passwords, kerberos password changed successfully. [ashatest@dhcp231-62 ~]$ passwd Changing password for user ashatest. Changing password for ashatest. (current) UNIX password: Asha PIN: Asha PIN: New password: Retype new password: passwd: all authentication tokens updated successfully. Expected results: Upon entering correct pin, smart card pin should not be requested again. Additional info: # cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so card_only auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so # cat /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so #cat /etc/pam_pkcs11/pam_pkcs11.conf # # Configuration file for pam_pkcs11 module # # Version 0.4 # Author: Juan Antonio Martinez <jonsito> # pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = false; # If the smart card is inserted, only use it card_only = true; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = coolkey; screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module coolkey { module = libcoolkeypk11.so; description = "Cool Key" # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; nss_dir = /etc/pki/nssdb; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs # "crl_auto" Is a combination of online and offline; it first # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "ocsp_on" Turn on OCSP. # "signature" Does also a signature check to ensure that private # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". cert_policy =ca, signature; } pkcs11_module opensc { module = opensc-pkcs11.so; description = "OpenSC PKCS#11 module"; # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate Policy, (see above) cert_policy=ca, signature; } # Default pkcs11 module pkcs11_module default { module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; description = "Default pkcs#11 module"; slot_num = 0; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy=ca, signature; } # Which mappers ( Cert to login ) to use? # you can use several mappers: # # subject - Cert Subject to login file based mapper # pwent - CN to getpwent() login or gecos fields mapper # ldap - LDAP mapper # opensc - Search certificate in ${HOME}/.eid/authorized_certificates # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension # krb - Compare againts Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper # generic - User defined certificate contents mapped # null - blind access/deny mapper # # You can select a comma-separated mapper list. # If used null mapper should be the last in the list :-) # Also you should select at least one mapper, otherwise # certificate will not match :-) use_mappers = cn, uid, pwent, null; # When no absolute path or module info is provided, use this # value as module search path # TODO: # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; # # Generic certificate contents mapper mapper generic { debug = true; module = /usr/$LIB/pam_pkcs11/generic_mapper.so; # ignore letter case on match/compare ignorecase = false; # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" cert_item = cn; # Define mapfile if needed, else select "none" mapfile = file:///etc/pam_pkcs11/generic_mapping # Decide if use getpwent() to map login use_getpwent = false; } # Certificate Subject to login based mapper # provided file stores one or more "Subject -> login" lines mapper subject { debug = false; # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; module = internal; ignorecase = false; mapfile = file:///etc/pam_pkcs11/subject_mapping; } # Search public keys from $HOME/.ssh/authorized_keys to match users mapper openssh { debug = false; module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; } # Search certificates from $HOME/.eid/authorized_certificates to match users mapper opensc { debug = false; module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; } # Certificate Common Name ( CN ) to getpwent() mapper mapper pwent { debug = false; ignorecase = false; module = internal; # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; } # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" mapper null { debug = false; # module = /usr/$LIB/pam_pkcs11/null_mapper.so; module = internal ; # select behavior: always match, or always fail default_match = false; # on match, select returned user default_user = nobody ; } # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } # Assume common name (CN) to be the login mapper cn { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; ignorecase = true; mapfile = file:///etc/pam_pkcs11/cn_map; } # mail - Compare email field from certificate mapper mail { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; # Also check that host matches mx domain # when using mapfile this feature is ignored ignoredomain = false; } # ms - Use Microsoft Universal Principal Name extension # UPN is in format login@ADS_Domain. No map is needed, just # check domain name. mapper ms { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; ignorecase = false; ignoredomain = false; domain = "domain.com"; } # krb - Compare againts Kerberos Principal Name mapper krb { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; ignorecase = false; mapfile = "none"; } # uid - Maps Subject Unique Identifier field (if exist) to login mapper uid { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; ignorecase = false; mapfile = "none"; } # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } }
Tested 'passwd' with user not in the /etc/passwd file, authentication is configured with userDatabase to LDAP server and authentication method with kerberos password. Login to desktop with a smartcard is successful and kerberos credential is issued. Executing 'passwd' command request for kerberos password. Enter a correct kerberos password, it still ask for smartcard pin. Provide an incorrect smart card pin and the new passwords, kerberos password changed successfully. Expected behavior: It should not ask for smart card pin when correct kerberos password is entered.
Hello Asha, would you please test this bug with pam_krb5-2.3.11-8.el6 ?
Zbysek, yes, I will be verifying this bug.
Package version pam_krb5-2.3.11-8.el6 passed all sanity, regression and bug testing and is sane for release. No respin planned. Marking SanityOnly as the source code contains the patch and spec is applying it.
Tested on a RHEL 6.2 desktop with pam_krb5-2.3.11-8.el6, user not in the /etc/passwd file can login to desktop successfully with a smart card when authentication is configured with userDatabase to LDAP server and authentication method with kerberos password and smartcard login enabled. Kerberos credentials issued successfully. Executing "passwd" shows the same problem described in comment #2. When a correct kerberos password is entered, smart card pin is requested. Upon entering a wrong smart card pin and the matching new passwords, kerberos password changed successfully to the new one. Expected behavior: When a correct kerberos password entered, smart card pin should not be requested. $ klist Ticket cache: FILE:/tmp/krb5cc_511_ZFLmLa Default principal: usernonhome.REDHAT.COM Valid starting Expires Service principal 10/31/11 16:59:18 11/01/11 16:59:18 krbtgt/DSDEV.SJC.REDHAT.COM.REDHAT.COM renew until 11/01/11 16:59:33 $ passwd Changing password for user usernonhome. Kerberos 5 Password: TestUserKDC PIN: New password: Retype new password: passwd: all authentication tokens updated successfully. Marking the bug status ASSIGNED.
Tested the following scenarios on a RHEL 6.2 X86_84 desktop, with pam_krb5-2.3.11-9.el6 : 1. Kerberos user Logged in with a smart card changing Kerberos password: a. Entering a correct current Kerberos 5 password, changes the kerberos password successfully. $ passwd Changing password for user usernonhome. Kerberos 5 Password: New password: Retype new password: passwd: all authentication tokens updated successfully. b. An incorrect Kerberos 5 password, throws error and does not change the password. $ passwd Changing password for user usernonhome. Kerberos 5 Password: passwd: Authentication token manipulation error Before this fix (pam_krb5-2.3.11-9.el6), when a wrong current kerberos password entered, a smart card pin is requested, providing correct smart card pin and the new kerberos passwords changed the kerberos passwords successfully. Discussed this issue with Nalin, going forward kerberos password change will request only current kerberos password and not request for a smart card pin. Also, kpasswd behaves the same way, and the goal is to do pretty much what it does. ========================================================= 2. A local user logged in with a smart card changing UNIX password a. A correct current UNIX password $ passwd Changing password for user aakkiang. Changing password for aakkiang. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. b. An incorrect UNIX password (no Kerberos Authentication set-up). $ passwd Changing password for user aakkiang. Changing password for aakkiang. (current) UNIX password: passwd: Authentication token manipulation error ================================================================ 3. A Local user logged in with a password changing UNIX password: a. A correct current UNIX password $ passwd Changing password for user localuser3. Changing password for localuser3. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. b. An incorrect UNIX password (no Kerberos Authentication set-up). $ passwd Changing password for user localuser3. Changing password for localuser3. (current) UNIX password: passwd: Authentication token manipulation error ================================================================ Marking the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1704.html