Red Hat Bugzilla – Bug 715073
Smart card login with Kerberos credential: passwd command to change the kerberos password request smart card pin.
Last modified: 2012-10-12 04:22:55 EDT
Description of problem: Smart card login with Kerberos credential: passwd command to change the kerberos password always request smart card pin. Version-Release number of selected component (if applicable): Rhel 5.7: pam_krb5-2.2.14-21.el5, authconfig-5.3.21-7.el5, pam_pkcs11-0.5.3-23 How reproducible: Steps to Reproduce: 1. This user is not in the /etc/passwd file, authentication is configured with userDatabase to LDAP server, kerberos support enabled, the KDC information is provided and smart card support is enabled. 2. Login to desktop with an enrolled smart card. 3. Kerberos credential issued successfully. 4. Try to change the kerberos password using "passwd" command 5. $ passwd Changing password for user testkdcuser. Kerberos 5 Password: PIN for TestUserKDC: New kerberos password: Retype new kerberos password: passwd: all authentication tokens updated successfully. Actual results: Smart card pin is requested after providing a correct kerberos password. Entering correct or wrong pin will let the password change successfully. Expected results: Smart card pin should not be requested when a correct kerberos password is entered. There should be a way to configure in the /etc/pam.d/system to request smart card pin only when the kerberos password is in-correct. Additional info: [testkdcuser@dhcp231-57 ~]$ cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password include system-auth [testkdcuser@dhcp231-57 ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password optional pam_pkcs11.so password requisite pam_cracklib.so try_first_pass retry=3 type=kerberos password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so
If you enter the correct password, that shouldn't be happening. Please attach the debug log.
/var/log/secure messages when a correct kerberos password and an in-correct smart card pin is entered: Jun 21 16:03:44 dhcp231-57 passwd: pam_krb5[5513]: authenticating 'testkdcuser@EXAMPLE.COM' to 'kadmin/changepw@EXAMPLE.COM' Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: krb5_get_init_creds_password(kadmin/changepw@EXAMPLE.COM) returned 0 (Success) Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: Got 0 (Success) acquiring credentials for kadmin/changepw. Jun 21 16:04:02 dhcp231-57 passwd: pam_krb5[5513]: pam_chauthtok (preliminary check) returning 0 (Success) Jun 21 16:05:47 dhcp231-57 passwd: pam_unix(passwd:chauthtok): user "testkdcuser" does not exist in /etc/passwd Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: configured realm 'EXAMPLE.COM' Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flags: forwardable Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no ignore_afs Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: user_check Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: use_authtok Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no krb4_convert Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: krb4_convert_524 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: krb4_use_as_req Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will try previously set password first Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will ask for a password if that fails Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: will let libkrb5 ask questions Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no use_shmem Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no external Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: no multiple_ccaches Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: validate Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: flag: warn Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: ticket lifetime: 1860 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: renewable lifetime: 0 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: banner: Kerberos 5 Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: ccache dir: /tmp Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: keytab: FILE:/etc/krb5.keytab Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: password changed for testkdcuser@EXAMPLE.COM Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: obtaining credentials using new password for 'testkdcuser@EXAMPLE.COM' Jun 21 16:05:47 dhcp231-57 passwd: pam_krb5[5513]: authenticating 'testkdcuser@EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM@EXAMPLE.COM' Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success) Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: validating credentials Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: error reading keytab 'FILE:/etc/krb5.keytab' Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: TGT verified Jun 21 16:05:48 dhcp231-57 passwd: pam_krb5[5513]: pam_chauthtok (updating authtok) returning 0 (Success)
Created attachment 506088 [details] proposed patch, not well-tested
Zbysek, yes, this will be tested in RHEL-5.8.
Tested changing password for a kerberos user logged in with a smart card. Pam configuration: # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password optional pam_pkcs11.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so Kerberos password changed successfully when old and new kerberos passwords entered successfully. No mention of smart card pin. $ passwd Changing password for user kdcuser. Cannot change the password on your smart card. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. When an in-correct kerberos password is entered, the authentication falls into LDAP auth, when old and new ldap passwords entered, ldap password changed successfully. sh-3.2$ passwd Changing password for user kdcuser. Cannot change the password on your smart card. Kerberos 5 Password: Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for kdcuser passwd: all authentication tokens updated successfully. Marking the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0246.html