Bug 913311 - vlock doesn't perform PAM account management or credential reinitialization
Summary: vlock doesn't perform PAM account management or credential reinitialization
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kbd
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Vitezslav Crhonek
QA Contact: Fedora Extras Quality Assurance
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Depends On:
Blocks: 1032140
TreeView+ depends on / blocked
 
Reported: 2013-02-20 23:24 UTC by Nalin Dahyabhai
Modified: 2013-12-14 03:44 UTC (History)
6 users (show)

Fixed In Version: kbd-1.15.5-12.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1032140 (view as bug list)
Environment:
Last Closed: 2013-12-03 10:34:33 UTC


Attachments (Terms of Use)
proposed patch (772 bytes, patch)
2013-11-13 14:14 UTC, Vitezslav Crhonek
no flags Details | Diff
tentative patch (2.60 KB, patch)
2013-11-20 01:12 UTC, Dmitry V. Levin
no flags Details | Diff

Description Nalin Dahyabhai 2013-02-20 23:24:54 UTC
Description of problem:
The 'vlock' command no longer performs PAM account management (authorization checking) or credential reinitialization.

Version-Release number of selected component (if applicable):
kbd-1.15.5-3.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:
1. run 'vlock' or 'vlock -a'
  
Actual results:
After checking the user's password, 

Expected results:
After calling pam_authenticate(), vlock should be calling pam_acct_mgmt(), and if that fails, rejecting the unlock attempt.  If it succeeds, it should be calling pam_setcred() with the PAM_REINITIALIZE_CRED flag.

Comment 1 Fedora End Of Life 2013-04-03 17:57:02 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 2 Vadim Raskhozhev 2013-04-12 18:25:21 UTC
A possible workaround is to create a file /etc/pam.d/vlock with something like

#%PAM-1.0
auth       include      system-auth
account    required     pam_permit.so

(this is taken from vlock-1.3-33.fc18).

Comment 3 Nalin Dahyabhai 2013-04-12 18:32:40 UTC
That'd take care of part of it (as in bug #913309), but without code changes it's not going to detect things like passwords having expired or (depending on how it's done) accounts being locked.

Comment 4 Walter Francis 2013-07-02 14:01:29 UTC
vlock on F19 for me just goes nuts saying invalid password when ran until the workaround in comment 2 and now it works as expected for me, at least it the case of "Normal user, valid password, ran vlock, unlocked."  Don't know about the other use cases.

Comment 5 Vitezslav Crhonek 2013-11-13 14:14:28 UTC
Created attachment 823465 [details]
proposed patch

Comment 6 Vitezslav Crhonek 2013-11-13 14:18:00 UTC
Nalin, I'm not familiar with PAM API, would the patch above suffice?

Comment 7 Nalin Dahyabhai 2013-11-13 16:26:42 UTC
The formatting for the error reporting looks a bit weird, but yes, it roughly matches what the old vlock did, and should work for our purposes.

One thing that the PAM docs (pam_acct_mgmt(3)) recommend is calling pam_chauthtok() if pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD and the application has the ability to walk the user through changing their password, but that's less urgent -- the old vlock didn't do that, either.

Comment 8 Dmitry V. Levin 2013-11-20 01:12:08 UTC
Created attachment 826385 [details]
tentative patch

You can test this patch instead.

A word of warning: depending on the authentication scheme, vlock may or may not need extra credentials to do account and password management.

Comment 9 Nalin Dahyabhai 2013-11-20 16:38:06 UTC
It also has the desired effect.  Using PAM_REFRESH_CRED instead of PAM_REINITIALIZE_CRED still triggers the ccache refresh.

Comment 10 Dmitry V. Levin 2013-11-20 16:47:11 UTC
(In reply to Nalin Dahyabhai from comment #9)
> It also has the desired effect.  Using PAM_REFRESH_CRED instead of
> PAM_REINITIALIZE_CRED still triggers the ccache refresh.

The difference between PAM_REFRESH_CRED and PAM_REINITIALIZE_CRED is not documented clear enough, so authors of various pam modules interpret these flags as they like.

Would you recommend using PAM_REINITIALIZE_CRED instead?

Comment 11 Nalin Dahyabhai 2013-11-20 20:07:47 UTC
(In reply to Dmitry V. Levin from comment #10)
> (In reply to Nalin Dahyabhai from comment #9)
> > It also has the desired effect.  Using PAM_REFRESH_CRED instead of
> > PAM_REINITIALIZE_CRED still triggers the ccache refresh.
> 
> The difference between PAM_REFRESH_CRED and PAM_REINITIALIZE_CRED is not
> documented clear enough, so authors of various pam modules interpret these
> flags as they like.
> 
> Would you recommend using PAM_REINITIALIZE_CRED instead?

Yes, but mostly because it's what we used in earlier releases.  I don't see a much of a practical difference myself.  FWIW a spot-check on the pam_krb5 that we include and Russ's show that both implementations treat both flags as equivalent.

Comment 12 Fedora Update System 2013-11-27 10:24:38 UTC
kbd-1.15.5-12.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/kbd-1.15.5-12.fc20

Comment 13 Fedora Update System 2013-11-27 10:54:00 UTC
kbd-1.15.5-9.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/kbd-1.15.5-9.fc19

Comment 14 Fedora Update System 2013-11-27 16:11:00 UTC
Package kbd-1.15.5-12.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kbd-1.15.5-12.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-22274/kbd-1.15.5-12.fc20
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2013-12-03 10:34:33 UTC
kbd-1.15.5-9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-12-14 03:44:45 UTC
kbd-1.15.5-12.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.